Add Content-Security-Policy setting for CMS

[timmc-edx]

There currently is not a way to set a Content-Security-Policy (CSP) header for LMS or CMS, but this is a powerful security measure that deployers can take. 2U is starting to experiment with this, and the CMS is a good place to start, since it is lower traffic.

Acceptance criteria:

• [ ] New Django settings to set a Content-Security-Policy header on CMS, or Content-Security-Policy-Report-Only, or both at the same time
• [ ] New Django setting to set a Reporting-Endpoints header on CMS to support CSP Level 3
• [ ] Ability to set these for the LMS as well at the same time, with different values
• [ ] Optionally: Ability to do a percentage rollout, maybe with Waffle

Presumably this would involve using a Django middleware. Possible ways to do this:

• CSP-specific settings and middleware in edx-platform (bad, because would have to reimplement in each IDA)
• Find a library that allows setting arbitrary headers
• Make a middleware in edx-django-utils or similar that allows setting CSP and related headers
• Find a CSP-specific library (e.g. https://github.com/mozilla/django-csp although that one doesn’t allow both CSP and CSP-RO at the same time)

Alternatively, give up and just do it at the CDN level, but this approach would not help the community as much.

[timmc-edx]

@robrap I'd be curious to get your input on weighing the options here.

[robrap]

@timmc-edx: I like the idea of a low risk change. I also think you could open this up to the community to discuss how and if it would help them. If using CDN is quick and simple, I'd start there and see what you learn. Then you could decide when and if someone could make this a platform feature. Happy to chat about it as well.

[timmc-edx]

Yep, planning on making a Discourse post. I guess I was more specifically wondering about your reaction to the prospect of adding yet another middleware to edx-django-utils, which is perpetually at risk of becoming a large undifferentiated bag of utilities. :-) I might start with putting code in Studio, but I'd want to move it somewhere else eventually.

Using a CDN might not be as simple as it would seem, depending on our current configuration. (I agree that that would be a good place to do testing, but I'm not optimistic.)

[robrap]

I guess I was more specifically wondering about your reaction to the prospect of adding yet another middleware to edx-django-utils, which is perpetually at risk of becoming a large undifferentiated bag of utilities. :-)

I see. Yes - that is a reasonable concern.

This repo exists: https://github.com/openedx/xss-utils

I'm not saying this belongs there, but wondering whether we want some sort of security-utils, or some more specific repo for this code?

[timmc-edx]

I think what I'd like to do is incubate the CSP code in CMS, but then extract it into a library once it's ready for use elsewhere. This will allow more time to decide on where it belongs.

[robrap]

@timmc-edx: Sounds reasonable. You can work with owner TNL, and hopefully your changes are done in a low-or-no risk manner.

[timmc-edx]

PR to add a middleware to edx-django-utils: https://github.com/openedx/edx-django-utils/pull/289

I had originally intended to include a Waffle Flag, but that would create a circular dependency between edx-django-utils and edx-toggles. I'm also not sure if it would create too much configuration complexity.