Opened 9 years ago
Last modified 3 months ago
#25706 assigned Cleanup/optimization
Support CSP default-src 'self' on Django Admin GIS
Reported by: | Thomas Grainger | Owned by: | Claude Paroz |
---|---|---|---|
Component: | GIS | Version: | dev |
Severity: | Normal | Keywords: | CSP inline javascript |
Cc: | Triage Stage: | Accepted | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | yes |
Easy pickings: | no | UI/UX: | no |
Description (last modified by )
Currently there's work (https://github.com/django/django/pull/5567) to comply with Content-Security-Policy: default-src 'self' on the base admin.
It's going to require further re-factoring to apply the same to django GIS
This change will also require the addition of Selenium tests for the Django Admin GIS UI
See also #15727
Change History (14)
comment:1 by , 9 years ago
Description: | modified (diff) |
---|---|
Keywords: | CSP inline javascript added |
comment:2 by , 9 years ago
Description: | modified (diff) |
---|
comment:3 by , 9 years ago
Description: | modified (diff) |
---|
comment:4 by , 9 years ago
Component: | Uncategorized → GIS |
---|---|
Triage Stage: | Unreviewed → Accepted |
Type: | Uncategorized → Cleanup/optimization |
Version: | 1.8 → master |
comment:5 by , 8 years ago
comment:7 by , 3 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
comment:10 by , 22 months ago
Absolutely, the challenge here is to remove any JS code from contrib/gis/templates/gis/openlayers.html
(and openlayers-osm.html
), which is currently defining the base map layer and instanciating the MapWidget (with that layer in initializer options).
Any suggestion on how to proceed without losing customization capabilities is warmly welcome!
follow-up: 12 comment:11 by , 12 months ago
I opened the same issue : https://code.djangoproject.com/ticket/35017 (sorry for the duplicate)
I'm interested by a solution.
What is the problem with PR https://github.com/django/django/pull/7205 ?
comment:12 by , 12 months ago
Replying to Matthieu Marrast:
What is the problem with PR https://github.com/django/django/pull/7205 ?
I would say the main problem is to replace the base_layer
block which was not present at the time of that patch, and still allow base layer customization. It would probably imply specifying a custom js file somewhere, but someone has to come with a good plan to put pieces in place for that, with an upgrade path.
comment:13 by , 3 months ago
Has patch: | set |
---|
So I decided to bite the bullet once more and cook a new patch, giving up on the backwards compatibility part, as I think it would be too hard to do (unless someone suggests a reasonable deprecation path).
comment:14 by , 3 months ago
Patch needs improvement: | set |
---|
I haven't started a "full review" on this one but it would be helpful to have the docs and JS tests passing to start with.
This PR does the job for the GIS forms/widgets. I may need help for JS correctness...