Opened 3 years ago

Closed 3 years ago

Last modified 2 years ago

#33803 closed Bug (invalid)

Add crossorigin attribute to django admin templates

Reported by: fcrozatier Owned by: nobody
Component: contrib.admin Version: 4.0
Severity: Normal Keywords: crossorigin COEP
Cc: Adam Johnson Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

When we store our static files on a cloud (digitalocean Spaces in my case) and we have Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy headers on the loadbalancer the files are blocked since they are not same-origin. This is usually not a problem we just have to add a crossorigin attribute, but in the case of django admin files the templates do not set them.

Should we add the crossorigin attribute to the script, link and img tags of the template files ?

Without this attribute the files are blocked with Cross-Origin Opener Policy.

Change History (3)

comment:1 by Mariusz Felisiak, 3 years ago

Cc: Adam Johnson added

comment:2 by Adam Johnson, 3 years ago

Resolution: invalid
Status: newclosed

No, the answer here is not to change Django. When setting COEP to require-corp, you have two options to allow cross-origin assets to work. *Either* you set the crossorigin attribute, or the assets are served with a CORP header declaring cross-origin loading to be allowed. Thus, you should change your static asset hosting to add this CORP header. I blogged about these headers here: https://adamj.eu/tech/2021/05/01/how-to-set-coep-coop-corp-security-headers-in-django/

Also with HTTP 2+ it's more efficient to serve your assets from the same domain, as they can be served on a single connection. Most sites should be doing this. Whitenoise is a popular solution for doing so with minimal configuration: https://whitenoise.evans.io/en/stable/ .

in reply to:  2 comment:3 by fcrozatier, 2 years ago

Replying to Adam Johnson:
Thank you.

No, the answer here is not to change Django. When setting COEP to require-corp, you have two options to allow cross-origin assets to work. *Either* you set the crossorigin attribute, or the assets are served with a CORP header declaring cross-origin loading to be allowed. Thus, you should change your static asset hosting to add this CORP header. I blogged about these headers here: https://adamj.eu/tech/2021/05/01/how-to-set-coep-coop-corp-security-headers-in-django/

Also with HTTP 2+ it's more efficient to serve your assets from the same domain, as they can be served on a single connection. Most sites should be doing this. Whitenoise is a popular solution for doing so with minimal configuration: https://whitenoise.evans.io/en/stable/ .

Note: See TracTickets for help on using tickets.
Back to Top