A little javascript and middleware work together to ensure that the user was active during the past X minutes in any tab he has open. Otherwise, display a warning leaving a couple of minutes to show any kind of activity like moving the mouse. Otherwise, logout the user.
django-csp allows setting of Content-Security-Policy-Headers, which aim to improve Web-Security. This includes executing only safe javascript / css-settings, which are identified by policies such as script-src or style-src. More information about CSP can be found at https://content-security-policy.com/
As django-session-security includes a template, both style-src (for the display:none of the overlay) and script-src (for the inline JavaScript enabling sessionSecurity.
My suggestion would be:
Move display:none; to the static CSS-File - changes in this property directly on the DOM via JS would superseed this anyway
Support using request.nonce for the inline-script
In the meantime, the issue can be circumvented by adding 'unsafe-inline' to CSP_SCRIPT_SRC and CSP_STYLE_SRC, but this should not be considered a fix due to the lack of security (unsafe- is meant that way).
django-csp allows setting of
Content-Security-Policy-Headers, which aim to improve Web-Security. This includes executing only safe javascript / css-settings, which are identified by policies such asscript-srcorstyle-src. More information about CSP can be found at https://content-security-policy.com/As
django-session-securityincludes a template, bothstyle-src(for thedisplay:noneof the overlay) andscript-src(for the inline JavaScript enablingsessionSecurity.My suggestion would be:
display:none;to the static CSS-File - changes in this property directly on the DOM via JS would superseed this anywayrequest.noncefor the inline-scriptIn the meantime, the issue can be circumvented by adding
'unsafe-inline'toCSP_SCRIPT_SRCandCSP_STYLE_SRC, but this should not be considered a fix due to the lack of security (unsafe-is meant that way).