Opened 3 years ago
Closed 3 years ago
#33363 closed Cleanup/optimization (wontfix)
Don’t load GIS static assets from external servers
Reported by: | Konrad Mohrfeldt | Owned by: | nobody |
---|---|---|---|
Component: | GIS | Version: | 4.0 |
Severity: | Normal | Keywords: | |
Cc: | Claude Paroz | Triage Stage: | Unreviewed |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
Hi,
I’ve noticed that the django.contrib.gis
module, specifically:
loads JavaScript and CSS files from Cloudflare CDN servers. I find this very irritating and though the documentation mentions that I’m free to override these assets myself I don’t think it’s a good default for privacy nor service reliability to use third party servers. I’ve noticed this myself because my project’s Content-Security-Policy blocks cross origin hosts.
As far as I can see the sources are all released under the BSD license and can probably be shipped along with Django. Is there any reason this hasn’t been done and would you care for pull requests that include these libraries as part of the static assets shipped with the django.contrib.gis
module?
Thank you for your time,
Konrad
Change History (6)
comment:1 by , 3 years ago
Triage Stage: | Unreviewed → Accepted |
---|
comment:2 by , 3 years ago
Summary: | Don’t load static assets from external servers → Don’t load GIS static assets from external servers |
---|
comment:3 by , 3 years ago
Cc: | added |
---|
I'm not sure about this, we will increase the size of Django by 1MB ~ 10%, where many (most?) users don't use GIS.
comment:4 by , 3 years ago
Perhaps then a docs note spelling out more clearly what to do to provide them locally? 🤔
comment:5 by , 3 years ago
I'm with Mariusz here, not thrilled to vendor such "heavy" JS libs. In the longer term, I guess that Django will not escape using some asset bundler, which will be the proper fix.
comment:6 by , 3 years ago
Resolution: | → wontfix |
---|---|
Status: | new → closed |
Triage Stage: | Accepted → Unreviewed |
OK, I think that's two for wontfix
. I suspect folks using strict CSP are already used to vendoring dependencies themselves, so… — as ever, a balance to tread.
OK, I think this is in line with other tickets to aid stricter CSPs.