#33803 closed Bug (invalid)
Add crossorigin attribute to django admin templates
| Reported by: | fcrozatier | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.admin | Version: | 4.0 |
| Severity: | Normal | Keywords: | crossorigin COEP |
| Cc: | Adam Johnson | Triage Stage: | Unreviewed |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
When we store our static files on a cloud (digitalocean Spaces in my case) and we have Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy headers on the loadbalancer the files are blocked since they are not same-origin. This is usually not a problem we just have to add a crossorigin attribute, but in the case of django admin files the templates do not set them.
Should we add the crossorigin attribute to the script, link and img tags of the template files ?
Without this attribute the files are blocked with Cross-Origin Opener Policy.
Change History (3)
comment:1 by , 2 years ago
| Cc: | added |
|---|
follow-up: 3 comment:2 by , 2 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
comment:3 by , 2 years ago
Replying to Adam Johnson:
Thank you.
No, the answer here is not to change Django. When setting COEP to require-corp, you have two options to allow cross-origin assets to work. *Either* you set the
crossoriginattribute, or the assets are served with a CORP header declaring cross-origin loading to be allowed. Thus, you should change your static asset hosting to add this CORP header. I blogged about these headers here: https://adamj.eu/tech/2021/05/01/how-to-set-coep-coop-corp-security-headers-in-django/
Also with HTTP 2+ it's more efficient to serve your assets from the same domain, as they can be served on a single connection. Most sites should be doing this. Whitenoise is a popular solution for doing so with minimal configuration: https://whitenoise.evans.io/en/stable/ .
No, the answer here is not to change Django. When setting COEP to require-corp, you have two options to allow cross-origin assets to work. *Either* you set the
crossoriginattribute, or the assets are served with a CORP header declaring cross-origin loading to be allowed. Thus, you should change your static asset hosting to add this CORP header. I blogged about these headers here: https://adamj.eu/tech/2021/05/01/how-to-set-coep-coop-corp-security-headers-in-django/Also with HTTP 2+ it's more efficient to serve your assets from the same domain, as they can be served on a single connection. Most sites should be doing this. Whitenoise is a popular solution for doing so with minimal configuration: https://whitenoise.evans.io/en/stable/ .