id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
35692	form media elements should support emitting CSP nonces	László Károlyi		"Hello,

there is the django-csp Pypi module that makes the setting of a proper CSP achievable in django. If one uses 'strict-dynamic' and a nonce per request, all script tags (and eventually link/style tags) will need the nonce emitted at render time.

I've already committed a change to django-debug-toolbar with this that is now accepted: https://github.com/jazzband/django-debug-toolbar/pull/1975

In Django itself, the form media tags are generated in `django/forms/widgets.py`:

https://github.com/django/django/blob/e0579ce27746b04a37cf43559df445068fd2a781/django/forms/widgets.py#L93

Respectively, the `render_js` and `render_css` methods are called.

The problem is, in order to emit the nonce, one needs the request object that is not passed to the media object, since that contains the `csp_nonce` variable. One possibility would be to fetch the current request from the current thread which probably not a good idea in an async environment. In the toolbar module, I simply look for a `csp_nonce` to see if it's set, and render if it is.

This will lead to more issues down the line, so I request a change on this. For the time being, it's only avoidable by rendering the media tags manually."	New feature	closed	Forms	4.2	Normal	duplicate	csp	László Károlyi	Unreviewed	0	0	0	0	0	0