Allowing ANDI images

src/registrar/config/settings.py

@@ -357,9 +357,20 @@ CSP_FORM_ACTION = allowed_sources
 # strict CSP by allowing scripts to run from their domain
 # and inline with a nonce, as well as allowing connections back to their domain.
 # Note: If needed, we can embed chart.js instead of using the CDN
-CSP_SCRIPT_SRC_ELEM = ["'self'", "https://www.googletagmanager.com/", "https://cdn.jsdelivr.net/npm/chart.js"]
-CSP_CONNECT_SRC = ["'self'", "https://www.google-analytics.com/"]
-CSP_INCLUDE_NONCE_IN = ["script-src-elem"]
+CSP_DEFAULT_SRC = [
+    "'self'",
+]
+CSP_STYLE_SRC = ["'self'", "https://www.ssa.gov", "'unsafe-inline'"]
+CSP_SCRIPT_SRC_ELEM = [
+    "'self'",
+    "https://www.googletagmanager.com/",
+    "https://cdn.jsdelivr.net/npm/chart.js",
+    "https://www.ssa.gov",
+    "https://ajax.googleapis.com",
+]
+CSP_CONNECT_SRC = ["'self'", "https://www.google-analytics.com/", "https://www.ssa.gov"]
+CSP_INCLUDE_NONCE_IN = ["script-src-elem", "style-src"]
+CSP_IMG_SRC = ["'self'", "https://www.ssa.gov"]
 
 # Cross-Origin Resource Sharing (CORS) configuration
 # Sets clients that allow access control to manage.get.gov

src/registrar/registrar_middleware.py

@@ -168,7 +168,7 @@ class ANDIMiddleware(MiddlewareMixin):
         response = self.get_response(request)
         return response
 
-    def process_view(self, request, view_func, view_args, view_kwargs):
+    def process_template_view(self, request, view_func, view_args, view_kwargs):
         response = self.get_response(request)
         if "text/html" in response.get("Content-Type", ""):
             andi_script = """