Opened 8 years ago

Last modified 8 months ago

#25706 assigned Cleanup/optimization

Support CSP default-src 'self' on Django Admin GIS

Reported by: Thomas Grainger Owned by: Claude Paroz
Component: GIS Version: dev
Severity: Normal Keywords: CSP inline javascript
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Thomas Grainger)

Currently there's work (https://github.com/django/django/pull/5567) to comply with Content-Security-Policy: default-src 'self' on the base admin.

It's going to require further re-factoring to apply the same to django GIS

This change will also require the addition of Selenium tests for the Django Admin GIS UI
See also #15727

Change History (10)

comment:1 Changed 8 years ago by Thomas Grainger

Description: modified (diff)
Keywords: CSP inline javascript added

comment:2 Changed 8 years ago by Thomas Grainger

Description: modified (diff)

comment:3 Changed 8 years ago by Thomas Grainger

Description: modified (diff)

comment:4 Changed 8 years ago by Tim Graham

Component: UncategorizedGIS
Triage Stage: UnreviewedAccepted
Type: UncategorizedCleanup/optimization
Version: 1.8master

comment:5 Changed 7 years ago by Claude Paroz

This PR does the job for the GIS forms/widgets. I may need help for JS correctness...

comment:6 Changed 22 months ago by GitHub <noreply@…>

In 322a1a03:

Refs #25706 - Removed inline JavaScript from OpenLayers template.

This allows setting a Content-Security-Policy HTTP header.

comment:7 Changed 22 months ago by Claude Paroz

Owner: changed from nobody to Claude Paroz
Status: newassigned

comment:8 Changed 14 months ago by Mariusz Felisiak <felisiak.mariusz@…>

In 44c24bf:

Refs #25706 -- Removed inline CSS in the openlayers widget template.

comment:9 Changed 8 months ago by Mariusz Felisiak

Claude, Is there anything left for this ticket 🤔 ?

comment:10 Changed 8 months ago by Claude Paroz

Absolutely, the challenge here is to remove any JS code from contrib/gis/templates/gis/openlayers.html (and openlayers-osm.html), which is currently defining the base map layer and instanciating the MapWidget (with that layer in initializer options).

Any suggestion on how to proceed without losing customization capabilities is warmly welcome!

Note: See TracTickets for help on using tickets.
Back to Top