id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
35017	Template openlayers.html with inline script - Content-Security-Policy	Matthieu Marrast	nobody	"The template **openlayers.html** (https://github.com/django/django/blob/main/django/contrib/gis/templates/gis/openlayers.html) provides **inline script**:

{{{
<script>
        {% block base_layer %}
            var base_layer = new ol.layer.Tile({
                source: new ol.source.XYZ({
                    attributions: ""NASA Worldview"",
                    maxZoom: 8,
                    url: ""https://map1{a-c}.vis.earthdata.nasa.gov/wmts-webmerc/"" +
                         ""BlueMarble_ShadedRelief_Bathymetry/default/%7BTime%7D/"" +
                         ""GoogleMapsCompatible_Level8/{z}/{y}/{x}.jpg""
                })
            });
        {% endblock %}
        {% block options %}var options = {
            base_layer: base_layer,
            geom_name: '{{ geom_type }}',
            id: '{{ id }}',
            map_id: '{{ id }}_map',
            map_srid: {{ map_srid|unlocalize }},
            name: '{{ name }}'
        };
        {% endblock %}
        var {{ module }} = new MapWidget(options);
</script>
}}}

So to make it works with Content-Security-Policies, we must add `script-src 'unsafe-inline'` in our HTTP response headers.
This is not safe. Security and pentest tools raise alerts regarding this.

Without this security policy, the map is not shown.

References:
- https://owasp.org/Top10/A05_2021-Security_Misconfiguration/
- https://www.w3.org/TR/CSP2/
- https://www.w3.org/TR/CSP/
- https://caniuse.com/#search=content+security+policy
- https://content-security-policy.com/
- https://github.com/shapesecurity/salvation
- https://developers.google.com/web/fundamentals/security/csp#policy_applies_to_a_wide_variety_of_resources
"	Cleanup/optimization	closed	GIS	5.0	Normal	duplicate	CSP, Content-Security-Policies, script, unsafe-inline, inline script		Unreviewed	0	0	0	0	0	0