Opened 5 weeks ago

Closed 5 weeks ago

Last modified 2 weeks ago

#35692 closed New feature (duplicate)

form media elements should support emitting CSP nonces

Reported by: László Károlyi Owned by:
Component: Forms Version: 4.2
Severity: Normal Keywords: csp
Cc: László Károlyi Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Hello,

there is the django-csp Pypi module that makes the setting of a proper CSP achievable in django. If one uses 'strict-dynamic' and a nonce per request, all script tags (and eventually link/style tags) will need the nonce emitted at render time.

I've already committed a change to django-debug-toolbar with this that is now accepted: https://github.com/jazzband/django-debug-toolbar/pull/1975

In Django itself, the form media tags are generated in django/forms/widgets.py:

https://github.com/django/django/blob/e0579ce27746b04a37cf43559df445068fd2a781/django/forms/widgets.py#L93

Respectively, the render_js and render_css methods are called.

The problem is, in order to emit the nonce, one needs the request object that is not passed to the media object, since that contains the csp_nonce variable. One possibility would be to fetch the current request from the current thread which probably not a good idea in an async environment. In the toolbar module, I simply look for a csp_nonce to see if it's set, and render if it is.

This will lead to more issues down the line, so I request a change on this. For the time being, it's only avoidable by rendering the media tags manually.

Change History (3)

comment:1 by Sarah Boyce, 5 weeks ago

Resolution: duplicate
Status: newclosed

I might be wrong, but it feels like support for strict-dynamic is being worked on in #15727
You might be able to work on this with Refs #15727 but align this work to any work being progressed as part of that ticket

comment:2 by Rob Hudson, 2 weeks ago

I believe this issue is more about requesting that the django.forms.widget.Media class have access to the request object so that the render_js and render_css (or subclass) could use them to render the tags with the nonce, which could be added independently of the work in #15727.

in reply to:  2 comment:3 by László Károlyi, 2 weeks ago

Replying to Rob Hudson:

I believe this issue is more about requesting that the django.forms.widget.Media class have access to the request object so that the render_js and render_css (or subclass) could use them to render the tags with the nonce, which could be added independently of the work in #15727.

Indeed, thanks. The issue is not a duplicate and hence it shouldn't have been closed. It is a separate problem.

Note: See TracTickets for help on using tickets.
Back to Top