[waiting for django5.1] Content Security Policy

[richardebeling]

Additional layer to prevent JavaScript injection. Still allows inline CSS and images to be exploited.

• To fix CSS, we need to figure out how we can handle dynamically generated colors. Using attr() in CSS doesn't work with current browsers, at least for colors. The only workaround I currently see is having custom javascript that translates data-X helper attributes for color into "inline" style (using the .style attribute) -- seems a bit ugly to me
• To fix images, we'd need to move the data: images we currently have (3 svg paths in CSS files) into separate files. These are currently inlined into CSS to use our color definitions.
• Modal changes conflict with Rewrite confirmation modals #1985 -- we can just remove the modal changes from this PR once the "new" modals are merged.
• Consider setting up CSP failure reporting, maybe using some external service that tracks / aggregates them for us? Would leak user data though. mozilla-django-csp at least had a report-view in the past, but the documentation looks they don't want to maintain that anymore

[niklasmohrin]

Haven't read modal commit yet, because we expect that to change after #1985 is merged. Looks good in general, some comments:

[richardebeling]

Current test failures are when a view aborts request processing and we thus defer to django's default handling for 400/500 responses. When rendering the template for those, the request does not have the annotated csp_nonce anymore (because the django stack loses the original request and crafts a new one).

https://code.djangoproject.com/ticket/34830 fixes this, will have to wait for a django version that contains the change (probably 5.1?)

[richardebeling]

Closing for now to clean up the PR list -- I'll keep it on my list and get back to this when 5.1 is released and we upgraded.