Opened 3 years ago

Closed 3 years ago

#33363 closed Cleanup/optimization (wontfix)

Don’t load GIS static assets from external servers

Reported by: Konrad Mohrfeldt Owned by: nobody
Component: GIS Version: 4.0
Severity: Normal Keywords:
Cc: Claude Paroz Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Hi,

I’ve noticed that the django.contrib.gis module, specifically:

loads JavaScript and CSS files from Cloudflare CDN servers. I find this very irritating and though the documentation mentions that I’m free to override these assets myself I don’t think it’s a good default for privacy nor service reliability to use third party servers. I’ve noticed this myself because my project’s Content-Security-Policy blocks cross origin hosts.

As far as I can see the sources are all released under the BSD license and can probably be shipped along with Django. Is there any reason this hasn’t been done and would you care for pull requests that include these libraries as part of the static assets shipped with the django.contrib.gis module?

Thank you for your time,

Konrad

Change History (6)

comment:1 by Carlton Gibson, 3 years ago

Triage Stage: UnreviewedAccepted

OK, I think this is in line with other tickets to aid stricter CSPs.

comment:2 by Carlton Gibson, 3 years ago

Summary: Don’t load static assets from external serversDon’t load GIS static assets from external servers

comment:3 by Mariusz Felisiak, 3 years ago

Cc: Claude Paroz added

I'm not sure about this, we will increase the size of Django by 1MB ~ 10%, where many (most?) users don't use GIS.

comment:4 by Carlton Gibson, 3 years ago

Perhaps then a docs note spelling out more clearly what to do to provide them locally? 🤔

comment:5 by Claude Paroz, 3 years ago

I'm with Mariusz here, not thrilled to vendor such "heavy" JS libs. In the longer term, I guess that Django will not escape using some asset bundler, which will be the proper fix.

comment:6 by Carlton Gibson, 3 years ago

Resolution: wontfix
Status: newclosed
Triage Stage: AcceptedUnreviewed

OK, I think that's two for wontfix. I suspect folks using strict CSP are already used to vendoring dependencies themselves, so… — as ever, a balance to tread.

Note: See TracTickets for help on using tickets.
Back to Top