Update CSP header

project_novis/callsign/views.py

@@ -42,7 +42,18 @@ class DefaultPagination(LimitOffsetPagination):
     max_limit = 100
 
 
-@method_decorator(csp_update(IMG_SRC=("maps.googleapis.com", "maps.gstatic.com", "lh3.ggpht.com", "cbks0.googleapis.com", "khms0.googleapis.com", "khms1.googleapis.com"), SCRIPT_SRC=("maps.googleapis.com", "maps.gstatic.com")), name='dispatch')
+@method_decorator(csp_update(IMG_SRC=(
+    "maps.googleapis.com",  # Google Maps
+    "maps.gstatic.com",  # Google Maps
+    "cbks0.googleapis.com",
+    "khms0.googleapis.com",
+    "khms1.googleapis.com",
+    "lh3.ggpht.com",
+    "geo0.ggpht.com",  # Google Street View
+    "geo1.ggpht.com",  # Google Street View
+    "geo2.ggpht.com",  # Google Street View
+    "geo3.ggpht.com",  # Google Street View
+    ), SCRIPT_SRC=("maps.googleapis.com", "maps.gstatic.com")), name='dispatch')
 class CallsignDetailView(DetailView):
     queryset = Callsign.objects\
         .select_related("prefix") \

project_novis/settings.py

@@ -168,7 +168,7 @@ def bool_env(key, default=None):
 CSP_SCRIPT_SRC = ("'self'", "'unsafe-inline'", "cdnjs.cloudflare.com", "maxcdn.bootstrapcdn.com", "piwik.nerdpol.io", "stackpath.bootstrapcdn.com")
 CSP_STYLE_SRC = ("'self'", "'unsafe-inline'", "maxcdn.bootstrapcdn.com", "cdnjs.cloudflare.com", "fonts.googleapis.com", "stackpath.bootstrapcdn.com")
 CSP_FONT_SRC = ("'self'", "fonts.googleapis.com", "fonts.gstatic.com", "maxcdn.bootstrapcdn.com", "cdnjs.cloudflare.com", "stackpath.bootstrapcdn.com")
-CSP_IMG_SRC = ("'self'", "data:", "cdnjs.cloudflare.com", "piwik.nerdpol.io", "www.gravatar.com")
+CSP_IMG_SRC = ("'self'", "data:", "cdnjs.cloudflare.com", "piwik.nerdpol.io", "www.gravatar.com", "www.gstatic.com")
 CSP_EXCLUDE_URL_PREFIXES = ("/admin/", "/api/v1/swagger/")
 
 # CORS settings