Support CSP Nonce for Jinja2 Assets

changes/204.a.canada.feature

@@ -0,0 +1 @@
+Adds script/style nonce capabilities to Jinja2 webassets.

changes/204.b.canada.changes

@@ -0,0 +1 @@
+Moved inline styles and JS attributes to classes and event listeners respectfully.

changes/204.c.canada.changes

@@ -0,0 +1 @@
+Now sets the Cache-Control header to `no-cache, private` for logged in users.

changes/204.d.canada.changes

@@ -0,0 +1 @@
+Loads image assets instead of `data:image` URIs for stricter Content-Security-Policy support.

ckan/lib/webassets_tools.py

@@ -11,7 +11,8 @@
 from webassets import Environment
 from webassets.loaders import YAMLLoader
 
-from ckan.common import config, g
+# (canada fork only): use CSP nonce to support strict-dynamic
+from ckan.common import config, g, request
 
 
 logger = logging.getLogger(__name__)
@@ -128,9 +129,13 @@ def include_asset(name: str) -> None:
 
 def _to_tag(url: str, type_: str):
     if type_ == u'style':
-        return u'<link href="{}" rel="stylesheet"/>'.format(url)
+        # (canada fork only): use CSP nonce to support strict-dynamic
+        return u'<link href="{}" rel="stylesheet" nonce="{}"/>'.format(
+            url, str(request.environ.get('CSP_NONCE', '')))
     elif type_ == u'script':
-        return u'<script src="{}" type="text/javascript"></script>'.format(url)
+        # (canada fork only): use CSP nonce to support strict-dynamic
+        return u'<script src="{}" type="text/javascript" nonce="{}"></script>'.format(
+            url, str(request.environ.get('CSP_NONCE', '')))
     return u''
 
 

ckan/public/base/css/main.css

@@ -2348,7 +2348,8 @@ textarea.form-control-lg {
   line-height: 1.5;
   color: #333333;
   background-color: #fff;
-  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 16 16'%3e%3cpath fill='none' stroke='%23343a40' stroke-linecap='round' stroke-linejoin='round' stroke-width='2' d='M2 5l6 6 6-6'/%3e%3c/svg%3e");
+  /* (canada fork only): CSP support */
+  background-image: url("/data/static/img/data_img/chevron-down.svg"), url("/static/img/data_img/chevron-down.svg");
   background-repeat: no-repeat;
   background-position: right 0.75rem center;
   background-size: 16px 12px;
@@ -2439,15 +2440,18 @@ textarea.form-control-lg {
   border-color: #206b82;
 }
 .form-check-input:checked[type=checkbox] {
-  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 20 20'%3e%3cpath fill='none' stroke='%23fff' stroke-linecap='round' stroke-linejoin='round' stroke-width='3' d='M6 10l3 3l6-6'/%3e%3c/svg%3e");
+  /* (canada fork only): CSP support */
+  background-image: url("/data/static/img/data_img/check.svg"), url("/static/img/data_img/check.svg");
 }
 .form-check-input:checked[type=radio] {
-  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='-4 -4 8 8'%3e%3ccircle r='2' fill='%23fff'/%3e%3c/svg%3e");
+  /* (canada fork only): CSP support */
+  background-image: url("/data/static/img/data_img/dot.svg"), url("/static/img/data_img/dot.svg");
 }
 .form-check-input[type=checkbox]:indeterminate {
   background-color: #206b82;
   border-color: #206b82;
-  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 20 20'%3e%3cpath fill='none' stroke='%23fff' stroke-linecap='round' stroke-linejoin='round' stroke-width='3' d='M6 10h8'/%3e%3c/svg%3e");
+  /* (canada fork only): CSP support */
+  background-image: url("/data/static/img/data_img/dash.svg"), url("/static/img/data_img/dash.svg");
 }
 .form-check-input:disabled {
   pointer-events: none;
@@ -2464,7 +2468,8 @@ textarea.form-control-lg {
 .form-switch .form-check-input {
   width: 2em;
   margin-left: -2.5em;
-  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='-4 -4 8 8'%3e%3ccircle r='3' fill='rgba%280, 0, 0, 0.25%29'/%3e%3c/svg%3e");
+  /* (canada fork only): CSP support */
+  background-image: url("/data/static/img/data_img/dot-grey.svg"), url("/static/img/data_img/dot-grey.svg");
   background-position: left center;
   border-radius: 2em;
   transition: background-position 0.15s ease-in-out;
@@ -2475,11 +2480,13 @@ textarea.form-control-lg {
   }
 }
 .form-switch .form-check-input:focus {
-  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='-4 -4 8 8'%3e%3ccircle r='3' fill='%2390b5c1'/%3e%3c/svg%3e");
+  /* (canada fork only): CSP support */
+  background-image: url("/data/static/img/data_img/dot-blue.svg"), url("/static/img/data_img/dot-blue.svg");
 }
 .form-switch .form-check-input:checked {
   background-position: right center;
-  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='-4 -4 8 8'%3e%3ccircle r='3' fill='%23fff'/%3e%3c/svg%3e");
+  /* (canada fork only): CSP support */
+  background-image: url("/data/static/img/data_img/dot-white.svg"), url("/static/img/data_img/dot-white.svg");
 }
 
 .form-check-inline {
@@ -2749,7 +2756,8 @@ textarea.form-control-lg {
 .was-validated .form-control:valid, .form-control.is-valid {
   border-color: #3A833A;
   padding-right: calc(1.5em + 0.75rem);
-  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 8 8'%3e%3cpath fill='%233A833A' d='M2.3 6.73L.6 4.53c-.4-1.04.46-1.4 1.1-.8l1.1 1.4 3.4-3.8c.6-.63 1.6-.27 1.2.7l-4 4.6c-.43.5-.8.4-1.1.1z'/%3e%3c/svg%3e");
+  /* (canada fork only): CSP support */
+  background-image: url("/data/static/img/data_img/check-green.svg"), url("/static/img/data_img/check-green.svg");
   background-repeat: no-repeat;
   background-position: right calc(0.375em + 0.1875rem) center;
   background-size: calc(0.75em + 0.375rem) calc(0.75em + 0.375rem);
@@ -2769,7 +2777,8 @@ textarea.form-control-lg {
 }
 .was-validated .form-select:valid:not([multiple]):not([size]), .was-validated .form-select:valid:not([multiple])[size="1"], .form-select.is-valid:not([multiple]):not([size]), .form-select.is-valid:not([multiple])[size="1"] {
   padding-right: 4.125rem;
-  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 16 16'%3e%3cpath fill='none' stroke='%23343a40' stroke-linecap='round' stroke-linejoin='round' stroke-width='2' d='M2 5l6 6 6-6'/%3e%3c/svg%3e"), url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 8 8'%3e%3cpath fill='%233A833A' d='M2.3 6.73L.6 4.53c-.4-1.04.46-1.4 1.1-.8l1.1 1.4 3.4-3.8c.6-.63 1.6-.27 1.2.7l-4 4.6c-.43.5-.8.4-1.1.1z'/%3e%3c/svg%3e");
+  /* (canada fork only): CSP support */
+  background-image: url("/data/static/img/data_img/chevron-downg"), url("/data/static/img/data_img/check-green.svg"), url("/static/img/data_img/chevron-down.svg"), url("/static/img/data_img/check-green.svg");
   background-position: right 0.75rem center, center right 2.25rem;
   background-size: 16px 12px, calc(0.75em + 0.375rem) calc(0.75em + 0.375rem);
 }
@@ -2838,7 +2847,8 @@ textarea.form-control-lg {
 .was-validated .form-control:invalid, .form-control.is-invalid {
   border-color: #d43f3a;
   padding-right: calc(1.5em + 0.75rem);
-  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 12 12' width='12' height='12' fill='none' stroke='%23d43f3a'%3e%3ccircle cx='6' cy='6' r='4.5'/%3e%3cpath stroke-linejoin='round' d='M5.8 3.6h.4L6 6.5z'/%3e%3ccircle cx='6' cy='8.2' r='.6' fill='%23d43f3a' stroke='none'/%3e%3c/svg%3e");
+  /* (canada fork only): CSP support */
+  background-image: url("/data/static/img/data_img/danger.svg"), url("/static/img/data_img/danger.svg");
   background-repeat: no-repeat;
   background-position: right calc(0.375em + 0.1875rem) center;
   background-size: calc(0.75em + 0.375rem) calc(0.75em + 0.375rem);
@@ -2858,7 +2868,8 @@ textarea.form-control-lg {
 }
 .was-validated .form-select:invalid:not([multiple]):not([size]), .was-validated .form-select:invalid:not([multiple])[size="1"], .form-select.is-invalid:not([multiple]):not([size]), .form-select.is-invalid:not([multiple])[size="1"] {
   padding-right: 4.125rem;
-  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 16 16'%3e%3cpath fill='none' stroke='%23343a40' stroke-linecap='round' stroke-linejoin='round' stroke-width='2' d='M2 5l6 6 6-6'/%3e%3c/svg%3e"), url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 12 12' width='12' height='12' fill='none' stroke='%23d43f3a'%3e%3ccircle cx='6' cy='6' r='4.5'/%3e%3cpath stroke-linejoin='round' d='M5.8 3.6h.4L6 6.5z'/%3e%3ccircle cx='6' cy='8.2' r='.6' fill='%23d43f3a' stroke='none'/%3e%3c/svg%3e");
+  /* (canada fork only): CSP support */
+  background-image: url("/data/static/img/data_img/chevron-down.svg"), url("/data/static/img/data_img/danger.svg"), url("/static/img/data_img/chevron-down.svg"), url("/static/img/data_img/danger.svg");
   background-position: right 0.75rem center, center right 2.25rem;
   background-size: 16px 12px, calc(0.75em + 0.375rem) calc(0.75em + 0.375rem);
 }
@@ -4400,7 +4411,8 @@ textarea.form-control-lg {
   border-color: rgba(0, 0, 0, 0.1);
 }
 .navbar-light .navbar-toggler-icon {
-  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 30 30'%3e%3cpath stroke='rgba%280, 0, 0, 0.55%29' stroke-linecap='round' stroke-miterlimit='10' stroke-width='2' d='M4 7h22M4 15h22M4 23h22'/%3e%3c/svg%3e");
+  /* (canada fork only): CSP support */
+  background-image: url("/data/static/img/data_img/burger.svg"), url("/static/img/data_img/burger.svg");
 }
 .navbar-light .navbar-text {
   color: rgba(0, 0, 0, 0.55);
@@ -4437,7 +4449,8 @@ textarea.form-control-lg {
   border-color: rgba(255, 255, 255, 0.1);
 }
 .navbar-dark .navbar-toggler-icon {
-  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 30 30'%3e%3cpath stroke='rgba%28255, 255, 255, 0.55%29' stroke-linecap='round' stroke-miterlimit='10' stroke-width='2' d='M4 7h22M4 15h22M4 23h22'/%3e%3c/svg%3e");
+  /* (canada fork only): CSP support */
+  background-image: url("/data/static/img/data_img/burger-lite.svg"), url("/static/img/data_img/burger-lite.svg");
 }
 .navbar-dark .navbar-text {
   color: rgba(255, 255, 255, 0.55);
@@ -4634,7 +4647,8 @@ textarea.form-control-lg {
   box-shadow: inset 0 -1px 0 rgba(0, 0, 0, 0.125);
 }
 .accordion-button:not(.collapsed)::after {
-  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 16 16' fill='%231d6075'%3e%3cpath fill-rule='evenodd' d='M1.646 4.646a.5.5 0 0 1 .708 0L8 10.293l5.646-5.647a.5.5 0 0 1 .708.708l-6 6a.5.5 0 0 1-.708 0l-6-6a.5.5 0 0 1 0-.708z'/%3e%3c/svg%3e");
+  /* (canada fork only): CSP support */
+  background-image: url("/data/static/img/data_img/chevron-down-blue.svg"), url("/static/img/data_img/chevron-down-blue.svg");
   transform: rotate(-180deg);
 }
 .accordion-button::after {
@@ -4643,7 +4657,8 @@ textarea.form-control-lg {
   height: 1.25rem;
   margin-left: auto;
   content: "";
-  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 16 16' fill='%23333333'%3e%3cpath fill-rule='evenodd' d='M1.646 4.646a.5.5 0 0 1 .708 0L8 10.293l5.646-5.647a.5.5 0 0 1 .708.708l-6 6a.5.5 0 0 1-.708 0l-6-6a.5.5 0 0 1 0-.708z'/%3e%3c/svg%3e");
+  /* (canada fork only): CSP support */
+  background-image: url("/data/static/img/data_img/chevron-down-grey.svg"), url("/static/img/data_img/chevron-down-grey.svg");
   background-repeat: no-repeat;
   background-size: 1.25rem;
   transition: transform 0.2s ease-in-out;
@@ -5332,7 +5347,11 @@ textarea.form-control-lg {
   height: 1em;
   padding: 0.25em 0.25em;
   color: #000;
-  background: transparent url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 16 16' fill='%23000'%3e%3cpath d='M.293.293a1 1 0 011.414 0L8 6.586 14.293.293a1 1 0 111.414 1.414L9.414 8l6.293 6.293a1 1 0 01-1.414 1.414L8 9.414l-6.293 6.293a1 1 0 01-1.414-1.414L6.586 8 .293 1.707a1 1 0 010-1.414z'/%3e%3c/svg%3e") center/1em auto no-repeat;
+  /* (canada fork only): CSP support */
+  background-image: url("/data/static/img/data_img/close-black.svg"), url("/static/img/data_img/close-black.svg");
+  background-color: transparent;
+  background-repeat: no-repeat;
+  background-position: center;
   border: 0;
   border-radius: 0.25rem;
   opacity: 0.5;
@@ -6059,11 +6078,13 @@ textarea.form-control-lg {
   } ]
 } */
 .carousel-control-prev-icon {
-  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 16 16' fill='%23fff'%3e%3cpath d='M11.354 1.646a.5.5 0 0 1 0 .708L5.707 8l5.647 5.646a.5.5 0 0 1-.708.708l-6-6a.5.5 0 0 1 0-.708l6-6a.5.5 0 0 1 .708 0z'/%3e%3c/svg%3e");
+  /* (canada fork only): CSP support */
+  background-image: url("/data/static/img/data_img/chevron-left.svg"), url("/static/img/data_img/chevron-left.svg");
 }
 
 .carousel-control-next-icon {
-  background-image: url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 16 16' fill='%23fff'%3e%3cpath d='M4.646 1.646a.5.5 0 0 1 .708 0l6 6a.5.5 0 0 1 0 .708l-6 6a.5.5 0 0 1-.708-.708L10.293 8 4.646 2.354a.5.5 0 0 1 0-.708z'/%3e%3c/svg%3e");
+  /* (canada fork only): CSP support */
+  background-image: url("/data/static/img/data_img/chevron-right.svg"), url("/static/img/data_img/chevron-right.svg");
 }
 
 .carousel-indicators {
@@ -14184,3 +14205,38 @@ div[data-module="progress-bar"] .progress-bar-label{
   text-align: right;
   margin-bottom: 23px;
 }
+
+/* (canada fork only): CSP support */
+.user-recaptcha-wrapper{
+  width: 304px;
+  height: 352px;
+  position: relative;
+}
+.user-recaptcha-frame-wrapper{
+  width: 304px;
+  height: 352px;
+  position: absolute;
+}
+.user-recaptcha-frame{
+  width: 304px;
+  height: 352px
+}
+.user-recaptcha-text-wrapper{
+  width: 250px;
+  height: 80px;
+  position: absolute;
+  bottom: 21px;
+  left: 25px;
+  margin: 0;
+  padding: 0;
+  right: 25px;
+}
+.user-recaptcha-text{
+  width: 250px;
+  height: 80px;
+  border: 1px solid #c1c1c1;
+  margin: 0;
+  padding: 0;
+  resize: none;
+}
+/* END (canada fork only): CSP support END */

ckan/public/base/javascript/modules/metadata-button.js

@@ -18,7 +18,7 @@ ckan.module('metadata-button', function(jQuery) {
     },
 
     _onClick: function(event) {
-      console.log("PRESSED THE BUTTON");
+      // FIXME: TODO: move style attributes to classes
       var div = document.getElementById("metadata_diff");
       if (div.style.display === "none") {
         div.style.display = "block";

ckan/public/base/javascript/modules/resource-upload-field.js

@@ -15,7 +15,7 @@ this.ckan.module('resource-upload-field', function (jQuery) {
       // revert to URL for Link option
       $('#resource-link-button').on('click', function() {
         urlField.attr('type', 'url');
-      }) 
+      })
 
       $('#field-resource-upload').on('change', function() {
         if (_nameIsDirty) {
@@ -34,6 +34,50 @@ this.ckan.module('resource-upload-field', function (jQuery) {
 
         $('input[name="name"]').val(file_name);
       });
+
+      // (canada fork only): CSP support
+      let uploadButton = $('#resource-upload-button');
+      if( uploadButton.length > 0 ){
+        $(uploadButton).off('click.ResourceEdit');
+        $(uploadButton).on('click.ResourceEdit', function(_event){
+          let uploadField = document.getElementById('resource-url-upload');
+          if( typeof uploadField !== 'undefined' && uploadField != null ){
+            uploadField.checked = true;
+          }
+          document.getElementById('field-resource-upload').click();
+        });
+      }
+      let linkButton = $('#resource-link-button');
+      if( linkButton.length > 0 ){
+        $(linkButton).off('click.ResourceEdit');
+        $(linkButton).on('click.ResourceEdit', function(_event){
+          let urlField = document.getElementById('resource-url-link');
+          if( typeof urlField !== 'undefined' && urlField != null ){
+            urlField.checked = true;
+          }
+          document.getElementById('field-resource-url').focus();
+        });
+      }
+      let removeURIButtons = $('.btn-remove-url');
+      if( removeURIButtons.length > 0 ){
+        $(removeURIButtons).each(function(_index, _removeURIButton){
+          $(_removeURIButton).off('click.ResourceEdit');
+          $(_removeURIButton).on('click.ResourceEdit', function(_event){
+            let clearUploadField = document.getElementById('field-clear-upload');
+            if( typeof clearUploadField !== 'undefined' && clearUploadField != null ){
+              clearUploadField.checked = true;
+            }
+            document.getElementById('resource-url-none').checked = true;
+            document.getElementById($(_removeURIButton).attr('data-first-button')).focus();
+            if( $(_removeURIButton).attr('data-is-upload') == 'true' || $(_removeURIButton).attr('data-is-upload') == true || $(_removeURIButton).attr('data-is-upload') == 'True' ){
+              $('#field-resource-upload').replaceWith($('#field-resource-upload').val('').clone(true));
+            }else{
+              $('#field-resource-url').val('');
+            }
+          });
+        });
+      }
+
     }
   }
 });

ckan/templates/base.html

@@ -83,7 +83,8 @@
     {{ h.render_assets('style') }}
     {%- block custom_styles %}
       {%- if g.site_custom_css -%}
-      <style>
+      {# (canada fork only): CSP support #}
+      <style nonce="{{- h.get_inline_script_nonce() if 'get_inline_script_nonce' in h else '' -}}">
         {{ g.site_custom_css | safe }}
       </style>
       {%- endif %}

ckan/templates/dataviewer/base.html

@@ -4,7 +4,8 @@
 
 {# remove any scripts #}
 {% block scripts %}
-  <script>
+  {# (canada fork only): CSP support #}
+  <script nonce="{{- h.get_inline_script_nonce() if 'get_inline_script_nonce' in h else '' -}}">
     var preload_resource = {{ h.literal(h.dump_json(resource)) }};
   </script>
 {% endblock %}