django csp

app/aviary/templates/aviary/aviary_all.html

@@ -14,7 +14,7 @@
 <script src="https://cdn.datatables.net/responsive/2.2.9/js/dataTables.responsive.min.js"></script>
 <script src="https://cdn.datatables.net/responsive/2.2.9/js/responsive.bootstrap5.min.js"></script>
 
-<script>
+<script nonce="{{request.csp_nonce}}">
     $(document).ready(function () {
         let table = $('#t__aviary_all').DataTable({
             language: {

app/bird/templates/bird/bird_all.html

@@ -14,7 +14,7 @@
 <script src="https://cdn.datatables.net/responsive/2.2.9/js/dataTables.responsive.min.js"></script>
 <script src="https://cdn.datatables.net/responsive/2.2.9/js/responsive.bootstrap5.min.js"></script>
 
-<script>
+<script nonce="{{request.csp_nonce}}">
   $(document).ready(function () {
     let table = $('#t__bird_all').DataTable({
       language: {

app/bird/templates/bird/bird_inactive.html

@@ -14,7 +14,7 @@
 <script src="https://cdn.datatables.net/responsive/2.2.9/js/dataTables.responsive.min.js"></script>
 <script src="https://cdn.datatables.net/responsive/2.2.9/js/responsive.bootstrap5.min.js"></script>
 
-<script>
+<script nonce="{{request.csp_nonce}}">
   $(document).ready(function () {
     let table = $('#t__bird_all').DataTable({
       language: {

app/core/settings.py

@@ -25,12 +25,6 @@ CSRF_TRUSTED_ORIGINS = ["https://fbf.nabu-jena.de"]
 # Cookies
 SESSION_COOKIE_SECURE = True
 
-# DJANGO Content Security Policy
-CSP_DEFAULT_SRC = ("'self'",)
-CSP_STYLE_SRC = ("'self'",)
-CSP_SCRIPT_SRC = ("'self'",)
-CSP_IMG_SRC = ("'self'",)
-CSP_FONT_SRC = ("'self'",)
 
 # HTTPS
 SECURE_HSTS_SECONDS = 0
@@ -92,8 +86,35 @@ MIDDLEWARE = [
     "django.contrib.auth.middleware.AuthenticationMiddleware",
     "django.contrib.messages.middleware.MessageMiddleware",
     "django.middleware.clickjacking.XFrameOptionsMiddleware",
+    "csp.middleware.CSPMiddleware",
 ]
 
+# DJANGO Content Security Policy
+CSP_DEFAULT_SRC = (
+    "'self'",
+    "https://cdn.datatables.net",
+)
+CSP_STYLE_SRC = (
+    "'self'",
+    "https://bootswatch.com",
+    "https://cdn.datatables.net",
+    "https://cdnjs.cloudflare.com",
+    "https://fonts.googleapis.com",
+)
+CSP_SCRIPT_SRC = (
+    "'self'",
+    "https://cdn.datatables.net",
+    "https://cdn.jsdelivr.net",
+    "https://code.jquery.com",
+)
+CSP_INCLUDE_NONCE_IN = ["script-src"]
+CSP_IMG_SRC = ("'self'",)
+CSP_FONT_SRC = (
+    "'self'",
+    "https://fonts.gstatic.com",
+    "https://cdnjs.cloudflare.com",
+)
+
 ROOT_URLCONF = "core.urls"
 
 TEMPLATES = [

app/costs/templates/costs/costs_all.html

@@ -18,7 +18,7 @@
 <script src="https://cdn.datatables.net/responsive/2.2.9/js/responsive.bootstrap5.min.js"></script>
 
 <!-- Configure the DataTable. -->
-<script>
+<script nonce="{{request.csp_nonce}}">
     $(document).ready(function () {
         let table = $('#t__costs_all').DataTable({
             language: {

app/rescuer/templates/rescuer/rescuer_all.html

@@ -14,7 +14,7 @@
 <script src="https://cdn.datatables.net/responsive/2.2.9/js/dataTables.responsive.min.js"></script>
 <script src="https://cdn.datatables.net/responsive/2.2.9/js/responsive.bootstrap5.min.js"></script>
 
-<script>
+<script nonce="{{request.csp_nonce}}">
   $(document).ready(function () {
     let table = $('#t__rescuer_all').DataTable({
       language: {