#35692 closed New feature (duplicate)
form media elements should support emitting CSP nonces
Reported by: | László Károlyi | Owned by: | |
---|---|---|---|
Component: | Forms | Version: | 4.2 |
Severity: | Normal | Keywords: | csp |
Cc: | László Károlyi | Triage Stage: | Unreviewed |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
Hello,
there is the django-csp Pypi module that makes the setting of a proper CSP achievable in django. If one uses 'strict-dynamic' and a nonce per request, all script tags (and eventually link/style tags) will need the nonce emitted at render time.
I've already committed a change to django-debug-toolbar with this that is now accepted: https://github.com/jazzband/django-debug-toolbar/pull/1975
In Django itself, the form media tags are generated in django/forms/widgets.py
:
Respectively, the render_js
and render_css
methods are called.
The problem is, in order to emit the nonce, one needs the request object that is not passed to the media object, since that contains the csp_nonce
variable. One possibility would be to fetch the current request from the current thread which probably not a good idea in an async environment. In the toolbar module, I simply look for a csp_nonce
to see if it's set, and render if it is.
This will lead to more issues down the line, so I request a change on this. For the time being, it's only avoidable by rendering the media tags manually.
Change History (3)
comment:1 by , 4 months ago
Resolution: | → duplicate |
---|---|
Status: | new → closed |
follow-up: 3 comment:2 by , 4 months ago
I believe this issue is more about requesting that the django.forms.widget.Media
class have access to the request
object so that the render_js
and render_css
(or subclass) could use them to render the tags with the nonce
, which could be added independently of the work in #15727.
comment:3 by , 4 months ago
Replying to Rob Hudson:
I believe this issue is more about requesting that the
django.forms.widget.Media
class have access to therequest
object so that therender_js
andrender_css
(or subclass) could use them to render the tags with thenonce
, which could be added independently of the work in #15727.
Indeed, thanks. The issue is not a duplicate and hence it shouldn't have been closed. It is a separate problem.
I might be wrong, but it feels like support for
strict-dynamic
is being worked on in #15727You might be able to work on this with
Refs #15727
but align this work to any work being progressed as part of that ticket