Opened 4 years ago

Last modified 6 months ago

#15727 assigned New feature

Add support for Content-Security-Policy (CSP) to core

Reported by: db.pub.mail@… Owned by: Rudolph
Component: HTTP handling Version: master
Severity: Normal Keywords:
Cc: eromijn@… Triage Stage: Accepted
Has patch: yes Needs documentation: yes
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

out of the box support for CSP would totally rock!
See https://developer.mozilla.org/en/Security/CSP/Introducing_Content_Security_Policy for more information on what CSP is about.

Change History (18)

comment:1 Changed 4 years ago by jezdez

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

comment:2 Changed 4 years ago by lukeplant

  • Component changed from Uncategorized to HTTP handling
  • Triage Stage changed from Unreviewed to Someday/Maybe

Having just read the specs now, it appears that for this to work you cannot have inline scripts. From looking at django-csp, it appears there is an option to re-enable inline scripts, but that would appear to seriously limit the usefulness of the protection.

The disabling of inline scripts is problematic for us in a number of ways:

  • Various places in the admin use inline scripts
  • Lots of Django projects will use the pattern of using {% url %} inside an inline javascript block in a template, even if the bulk of the javascript is in a separate file. There have been discussions recently about how to improve this, but no conclusion yet.

If a CSP middleware is not compatible with either our killer app or many third party apps, I'm afraid I don't share the enthusiasm of the reporter! It isn't going to get much use in Django, and there wouldn't be much point adding it. I should also note that due to the autoescaping feature of our template language, we have a pretty good record with XSS. (Not that additional security wouldn't be welcome, I'm just pointing out that it isn't a special priority for us).

To mark 'Accepted' would really imply that we are going to do something about the inline HTML in the admin and these other problems, which is unlikely in all honesty, so I'm going to mark as Someday/Maybe instead, although I'm also inclined towards Wontfix, because we need some compelling reason why this should be in core rather than as an external app like django-csp.

comment:3 Changed 4 years ago by lukeplant

  • Type set to New feature

comment:4 Changed 4 years ago by lukeplant

  • Severity set to Normal

comment:5 follow-up: Changed 4 years ago by d1b

Well it would be a real nice to have. I sent an email reply but it was blocked :/
Django hasn't been 'xss free' and a new template tag could be added to transform inline js into js included and served from a given location(that the CSP policy allows).

Last edited 4 years ago by d1b (previous) (diff)

comment:6 in reply to: ↑ 5 Changed 4 years ago by lukeplant

Replying to d1b:

a new template tag could be added to transform inline js into js included and served from a given location(that the CSP policy allows).

Sounds wonderful! Patch welcome :-)

(To explain what may not come over well on Trac: I'm implying that there are multiple significant problems with this suggestion that would need to be solved before it was practical. A solution to them isn't necessarily impossible, but will at least require quite a lot of work. What is written above is only one step away from saying "A new 'magic wand' feature could be added to Django that makes the problems with using CSP disappear, and then it would be sensible to add it". Indeed it would be...).

I sent an email reply but it was blocked :/

I don't know what you mean by an email reply - all emails sent from Trac are from the 'noreply@…' address.

comment:7 Changed 3 years ago by aaugustin

  • UI/UX unset

Change UI/UX from NULL to False.

comment:8 Changed 3 years ago by aaugustin

  • Easy pickings unset

Change Easy pickings from NULL to False.

comment:9 Changed 3 years ago by PaulM

  • Triage Stage changed from Someday/Maybe to Accepted

Now that CSP is much closer to being finalized, I would personally like to see this as part of Django core. We already protect against XSS, CSRF, and clickjacking; CSP fits right in with these features.

The work which can be done now (before the spec is finalized) mainly involves removing inline scripting and the mixing of styling and markup in the HTML templates we ship. This makes sense from the perspectives of both security and best practices. This would be a really good task for a group people to tackle during a sprint. Once the spec is finalized, we can work to integrate django-csp more closely, to the point that it makes sense to pull into core.

Even if we can't spend the time to really lock down the admin (and we may not, given our stance that the admin tends to be for trusted users), I think it makes sense to ship a CSP implementation with Django, so that projects can use a canonical, well tested, carefully implemented solution. Security features are hard to get right, and it makes sense to bless one and concentrate effort, rather than waiting to see which one wins.

The current spec can be found here: http://www.w3.org/TR/CSP/

I'm moving this back into accepted, with the caveat that it won't land in the near future (1.6 timeframe is probably realistic).

comment:10 Changed 2 years ago by erikr

  • Cc eromijn@… added
  • Summary changed from out of the box support for CSP would totally rock! to Add support for Content-Security-Policy (CSP) to core

comment:11 Changed 9 months ago by nhazar

After 3 years and 5 major releases, adding content security policy support to Django would still totally rock.

comment:12 Changed 8 months ago by Rudolph

  • Owner changed from nobody to Rudolph
  • Status changed from new to assigned

comment:13 Changed 8 months ago by Rudolph

  • Has patch set
  • Version changed from 1.2 to master

Pull request has been added with tests and documentation.

comment:14 Changed 7 months ago by erikr

  • Needs documentation set

Thanks for that patch. In general, I think it is important that we document well how to change projects to be CSP-compatible. The easier we make this, the more projects will use CSP, the safer people will be. A few quick notes:

  • I agree with PaulM that we could accept having the admin not CSP-compatible. However, we should very clearly document that CSP currently breaks with the admin. If I remember correctly, mozilla's django-csp allows one to add excluded paths, so that one can have both CSP and the admin enabled. That does reduce effectiveness, of course, but is better than no CSP.
  • With in-line javascript no longer allowed, it would be useful to point out <script type="application/json"></script> to people, which if my memory serves me right makes it easy to include a bit of json in your templates without violating CSP. Not 100% sure here though.
  • That can also help for the {% url %} problem described in comment:2, but perhaps there are other suggestions we can make.
  • This also deserves a place in the 1.8 release notes and in the security documentation (we have a specific page for that).

comment:15 Changed 7 months ago by Rudolph

Thanks for your comment.

Current pull request does not enable a Content-Security-Policy by default, because we can make no assumptions about the implementation details of other people's code. So the admin will stay fully functional unless you specify a policy which is too strict for the admin. However I agree that it would be nice to also provide a default policy for the admin (as strict as currently possible), which should be configurable for people that want to allow more (i.e. load external scripts).

Comment:2 can be easily solved by putting url's and other data needed by Javascript in data attributes instead.

I'll add something to the release notes in my update to the pull request.

comment:16 Changed 7 months ago by carljm

For reference, the PR is at https://github.com/django/django/pull/3550

comment:17 Changed 7 months ago by carljm

The code looks reasonable to me. I agree with all of @erikr's recommendations regarding additional documentation.

comment:18 Changed 6 months ago by gavinwahl

I don't see any value in adding the ability for django to set the CSP header for you. I can easily do that myself with a middleware.

The important thing for django to support is to make the admin compatible with CSP. Otherwise, most installations can't use CSP anyway.

A builtin CSP middleware _could_ be useful if it had a standardized way of dealing with nonce an hash sources. This really seems like a third-party app and not something in django core.

Last edited 6 months ago by gavinwahl (previous) (diff)
Note: See TracTickets for help on using tickets.
Back to Top