Opened 9 years ago

Last modified 3 months ago

#25706 assigned Cleanup/optimization

Support CSP default-src 'self' on Django Admin GIS

Reported by: Thomas Grainger Owned by: Claude Paroz
Component: GIS Version: dev
Severity: Normal Keywords: CSP inline javascript
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: yes
Easy pickings: no UI/UX: no

Description (last modified by Thomas Grainger)

Currently there's work (https://github.com/django/django/pull/5567) to comply with Content-Security-Policy: default-src 'self' on the base admin.

It's going to require further re-factoring to apply the same to django GIS

This change will also require the addition of Selenium tests for the Django Admin GIS UI
See also #15727

Change History (14)

comment:1 by Thomas Grainger, 9 years ago

Description: modified (diff)
Keywords: CSP inline javascript added

comment:2 by Thomas Grainger, 9 years ago

Description: modified (diff)

comment:3 by Thomas Grainger, 9 years ago

Description: modified (diff)

comment:4 by Tim Graham, 9 years ago

Component: UncategorizedGIS
Triage Stage: UnreviewedAccepted
Type: UncategorizedCleanup/optimization
Version: 1.8master

comment:5 by Claude Paroz, 8 years ago

This PR does the job for the GIS forms/widgets. I may need help for JS correctness...

comment:6 by GitHub <noreply@…>, 3 years ago

In 322a1a03:

Refs #25706 - Removed inline JavaScript from OpenLayers template.

This allows setting a Content-Security-Policy HTTP header.

comment:7 by Claude Paroz, 3 years ago

Owner: changed from nobody to Claude Paroz
Status: newassigned

comment:8 by Mariusz Felisiak <felisiak.mariusz@…>, 2 years ago

In 44c24bf:

Refs #25706 -- Removed inline CSS in the openlayers widget template.

comment:9 by Mariusz Felisiak, 22 months ago

Claude, Is there anything left for this ticket 🤔 ?

comment:10 by Claude Paroz, 22 months ago

Absolutely, the challenge here is to remove any JS code from contrib/gis/templates/gis/openlayers.html (and openlayers-osm.html), which is currently defining the base map layer and instanciating the MapWidget (with that layer in initializer options).

Any suggestion on how to proceed without losing customization capabilities is warmly welcome!

comment:11 by Matthieu Marrast, 12 months ago

I opened the same issue : https://code.djangoproject.com/ticket/35017 (sorry for the duplicate)
I'm interested by a solution.
What is the problem with PR https://github.com/django/django/pull/7205 ?

in reply to:  11 comment:12 by Claude Paroz, 12 months ago

Replying to Matthieu Marrast:

What is the problem with PR https://github.com/django/django/pull/7205 ?

I would say the main problem is to replace the base_layer block which was not present at the time of that patch, and still allow base layer customization. It would probably imply specifying a custom js file somewhere, but someone has to come with a good plan to put pieces in place for that, with an upgrade path.

comment:13 by Claude Paroz, 3 months ago

Has patch: set

So I decided to bite the bullet once more and cook a new patch, giving up on the backwards compatibility part, as I think it would be too hard to do (unless someone suggests a reasonable deprecation path).

comment:14 by Natalia Bidart, 3 months ago

Patch needs improvement: set

I haven't started a "full review" on this one but it would be helpful to have the docs and JS tests passing to start with.

Note: See TracTickets for help on using tickets.
Back to Top