#35692 closed New feature (duplicate)
form media elements should support emitting CSP nonces
| Reported by: | László Károlyi | Owned by: | |
|---|---|---|---|
| Component: | Forms | Version: | 4.2 |
| Severity: | Normal | Keywords: | csp |
| Cc: | László Károlyi | Triage Stage: | Unreviewed |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Hello,
there is the django-csp Pypi module that makes the setting of a proper CSP achievable in django. If one uses 'strict-dynamic' and a nonce per request, all script tags (and eventually link/style tags) will need the nonce emitted at render time.
I've already committed a change to django-debug-toolbar with this that is now accepted: https://github.com/jazzband/django-debug-toolbar/pull/1975
In Django itself, the form media tags are generated in django/forms/widgets.py:
Respectively, the render_js and render_css methods are called.
The problem is, in order to emit the nonce, one needs the request object that is not passed to the media object, since that contains the csp_nonce variable. One possibility would be to fetch the current request from the current thread which probably not a good idea in an async environment. In the toolbar module, I simply look for a csp_nonce to see if it's set, and render if it is.
This will lead to more issues down the line, so I request a change on this. For the time being, it's only avoidable by rendering the media tags manually.
Change History (3)
comment:1 by , 3 months ago
| Resolution: | → duplicate |
|---|---|
| Status: | new → closed |
follow-up: 3 comment:2 by , 2 months ago
I believe this issue is more about requesting that the django.forms.widget.Media class have access to the request object so that the render_js and render_css (or subclass) could use them to render the tags with the nonce, which could be added independently of the work in #15727.
comment:3 by , 2 months ago
Replying to Rob Hudson:
I believe this issue is more about requesting that the
django.forms.widget.Mediaclass have access to therequestobject so that therender_jsandrender_css(or subclass) could use them to render the tags with thenonce, which could be added independently of the work in #15727.
Indeed, thanks. The issue is not a duplicate and hence it shouldn't have been closed. It is a separate problem.
I might be wrong, but it feels like support for
strict-dynamicis being worked on in #15727You might be able to work on this with
Refs #15727but align this work to any work being progressed as part of that ticket