Don’t load GIS static assets from external servers

[Konrad Mohrfeldt]

Hi,

I’ve noticed that the django.contrib.gis module, specifically:

• ​forms/widgets.py line 84
• ​forms/widgets.py line 89
• and ​admin/options.py line 64

loads JavaScript and CSS files from Cloudflare CDN servers. I find this very irritating and though ​the documentation mentions that I’m free to override these assets myself I don’t think it’s a good default for privacy nor service reliability to use third party servers. I’ve noticed this myself because my project’s Content-Security-Policy blocks cross origin hosts.

As far as I can see the sources are all released under the BSD license and can probably be shipped along with Django. Is there any reason this hasn’t been done and would you care for pull requests that include these libraries as part of the static assets shipped with the django.contrib.gis module?

Thank you for your time,

Konrad

[Carlton Gibson]

OK, I think this is in line with other tickets to aid stricter CSPs.

[Mariusz Felisiak]

I'm not sure about this, we will increase the size of Django by 1MB ~ 10%, where many (most?) users don't use GIS.

[Carlton Gibson]

Perhaps then a docs note spelling out more clearly what to do to provide them locally? 🤔

[Claude Paroz]

I'm with Mariusz here, not thrilled to vendor such "heavy" JS libs. In the longer term, I guess that Django will not escape using some asset bundler, which will be the proper fix.

[Carlton Gibson]

OK, I think that's two for wontfix. I suspect folks using strict CSP are already used to vendoring dependencies themselves, so… — as ever, a balance to tread.