search

pallets-eco / flask-debugtoolbar

A toolbar overlay for debugging Flask applications
https://flask-debugtoolbar.readthedocs.io
BSD 3-Clause "New" or "Revised" License
953 stars 146 forks source link

Debug toolbar inline script isn't compatible with Content Security Policy #88

Open toolness opened 9 years ago

toolness commented 9 years ago

I noticed the following inline script in flask_debugtoolbar/templates/base.html isn't compatible with a common content security policy (CSP) rule that obviates XSS attacks by preventing the execution of inline scripts:

<script type="text/javascript">var DEBUG_TOOLBAR_STATIC_PATH = '{{ static_path }}'</script>

(One might say that CSP should be disabled on debug builds anyways, which is a fair point, but there's also an argument for dev/prod parity, especially when it's not that hard to achieve.)

A simple fix is to have this static path be defined in a data attribute that is subsequently pulled out of the DOM by one of the non-inline scripts.

In the meantime, if the default static_path of /_debug_toolbar/static/ is used, a hash-source of 'sha256-zWl5GfUhAzM8qz2mveQVnvu/VPnCS6QL7Niu6uLmoWU=' can be used to permit the inline script.

jorgelaranjo commented 10 months ago

For the ones trying to get it to work, just disable CSP with

<meta http-equiv="Content-Security-Policy" content="style-src 'self' 'unsafe-inline';">

Keep CSP on for production