A little javascript and middleware work together to ensure that the user was active during the past X minutes in any tab he has open. Otherwise, display a warning leaving a couple of minutes to show any kind of activity like moving the mouse. Otherwise, logout the user.
django-csp allows setting of Content-Security-Policy-Headers, which aim to improve Web-Security. This includes executing only safe javascript / css-settings, which are identified by policies such as script-src or style-src. More information about CSP can be found at https://content-security-policy.com/
As django-session-security includes a template, both style-src (for the display:none of the overlay) and script-src (for the inline JavaScript enabling sessionSecurity.
My suggestion would be:
Move display:none; to the static CSS-File - changes in this property directly on the DOM via JS would superseed this anyway
Support using request.nonce for the inline-script
In the meantime, the issue can be circumvented by adding 'unsafe-inline' to CSP_SCRIPT_SRC and CSP_STYLE_SRC, but this should not be considered a fix due to the lack of security (unsafe- is meant that way).
django-csp allows setting of
Content-Security-Policy
-Headers, which aim to improve Web-Security. This includes executing only safe javascript / css-settings, which are identified by policies such asscript-src
orstyle-src
. More information about CSP can be found at https://content-security-policy.com/As
django-session-security
includes a template, bothstyle-src
(for thedisplay:none
of the overlay) andscript-src
(for the inline JavaScript enablingsessionSecurity
.My suggestion would be:
display:none;
to the static CSS-File - changes in this property directly on the DOM via JS would superseed this anywayrequest.nonce
for the inline-scriptIn the meantime, the issue can be circumvented by adding
'unsafe-inline'
toCSP_SCRIPT_SRC
andCSP_STYLE_SRC
, but this should not be considered a fix due to the lack of security (unsafe-
is meant that way).