Added additional CSP in order to correctly render MUI elements

bece690b · danielmyren · e4e0d960 · bece690b
Commit bece690b authored 8 months ago by danielmyren
--- a/backend/config.py
+++ b/backend/config.py
@@ -6,9 +6,13 @@ class Config:
    SECRET_KEY = os.environ.get("SECRET_KEY", "FaHW65b6vBDGlhazs-8JZHb4jiZvI_9jj6hcUa_EV1Q")
    # Generate a good salt using: secrets.SystemRandom().getrandbits(128)
    SECURITY_PASSWORD_SALT = os.environ.get("SECURITY_PASSWORD_SALT", "327589938147555935984237744799432734422")
-    # have session and remember cookie be samesite (flask/flask_login)
-    REMEMBER_COOKIE_SAMESITE = "strict"
-    SESSION_COOKIE_SAMESITE = "strict"
+
+
+    SESSION_COOKIE_HTTPONLY = False
+    SESSION_COOKIE_NAME = "test"
+
+    SESSION_COOKIE_SAMESITE = None # test
+
    SQLALCHEMY_DATABASE_URI = 'sqlite://' # Use an in-memory db
    SQLALCHEMY_ECHO = False

@@ -20,28 +24,32 @@ class Config:
    SECURITY_PASSWORD_LENGTH_MIN = 5 # TODO: Insecure
    SECURITY_SEND_REGISTER_EMAIL = False # Specifies whether registration email is sent.
    SECURITY_REGISTERABLE = True # Allow registration of new users without confirmation
-
    SECURITY_EMAIL_VALIDATOR_ARGS = {"test_environment": DEBUG}
-    #SECURITY_PASSWORD_COMPLEXITY_CHECKER = "zxcvbn"
+

    # No forms so no concept of flashing
    SECURITY_FLASH_MESSAGES = False

    # Enforce CSRF protection for session / browser - but allow token-based
    # API calls to go through
-    SECURITY_CSRF_PROTECT_MECHANISMS = ["session", "basic"]
-    SECURITY_CSRF_IGNORE_UNAUTH_ENDPOINTS = False
-    SECURITY_CSRF_COOKIE_NAME = "XSRF-TOKEN"
+    #SECURITY_CSRF_PROTECT_MECHANISMS = ["session", "basic"]
+    #SECURITY_CSRF_IGNORE_UNAUTH_ENDPOINTS = True # If True then CSRF will not be required for endpoints that don’t require authentication (e.g. login, logout, register, forgot_password).
+    #SECURITY_CSRF_COOKIE_NAME = "X-XSRF-Token" # The name for the CSRF cookie
+    #WTF_CSRF_TIME_LIMIT = None # Don't have csrf tokens expire (they are invalid after logout)

-    SECURITY_REDIRECT_BEHAVIOR = "spa"
+    #SECURITY_REDIRECT_BEHAVIOR = "spa"

-    WTF_CSRF_CHECK_DEFAULT = False
-    WTF_CSRF_TIME_LIMIT = None
+    #WTF_CSRF_CHECK_DEFAULT = False
+    #WTF_CSRF_TIME_LIMIT = None

    csp = {
        'default-src': [
            '\'self\'',
            'https://fonts.googleapis.com',
            'https://fonts.gstatic.com',
+        ],
+        'style-src': [
+            '\'self\'',
+            '\'unsafe-inline\'',
        ]
    }
\ No newline at end of file