Opened 3 weeks ago

Closed 2 days ago

#36549 closed Bug (fixed)

OpenLayersWidget needs custom CSP rules when CSP is enabled

Reported by: Natalia Bidart Owned by: David Smith
Component: GIS Version: dev
Severity: Release blocker Keywords:
Cc: Rob Hudson, Claude Paroz Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

When using a OpenLayersWidget (for example via the GISModelAdmin), which declares custom javascript and css resoures, and if the CSP middleware is enabled with a commonly secure rule, the JS and CSS resources are blocked. Full description can be seen here https://forum.djangoproject.com/t/csp-and-geodjango/41879.

We need to, at least, mention this in the geodjango docs, likely in the https://docs.djangoproject.com/en/5.2/ref/contrib/gis/forms-api/ section, extending the existing paragraph:

OpenLayersWidget and OSMWidget use the ol.js file hosted on the cdn.jsdelivr.net content-delivery network. You can subclass these widgets in order to specify your own version of the ol.js file in the js property of the inner Media class (see Assets as a static definition).

This is a release blocker for 6.0. If we are only doing the docs change, it has to land before release candidate (i.e. before string freeze)

Change History (6)

comment:1 by Natalia Bidart, 3 weeks ago

Summary: OpenLayersWidget needs special rules when CSP is enabledOpenLayersWidget needs csutom CSP rules when CSP is enabled

comment:2 by Sarah Boyce, 3 weeks ago

Cc: Rob Hudson Claude Paroz added
Summary: OpenLayersWidget needs csutom CSP rules when CSP is enabledOpenLayersWidget needs custom CSP rules when CSP is enabled
Triage Stage: UnreviewedAccepted

I think adding an admonition to OpenLayersWidget would be nice

As an idea, we could try to implement a system check between asserts defined in Media and the SECURITY_CSP setting (but might not be feasible and would class as an enhancement not needed for 6.0). The nice thing would be that it should be clear when things are incompatible without us having to document specific cases.

Version 0, edited 3 weeks ago by Sarah Boyce (next)

comment:3 by David Smith, 2 weeks ago

Owner: set to David Smith
Status: newassigned

comment:4 by Natalia Bidart, 8 days ago

Has patch: set
Patch needs improvement: set

comment:5 by Natalia Bidart, 2 days ago

Patch needs improvement: unset
Triage Stage: AcceptedReady for checkin

comment:6 by GitHub <noreply@…>, 2 days ago

Resolution: fixed
Status: assignedclosed

In 0a67611:

Fixed #36549 -- Doc'd use of OpenLayersWidget and OSMWidget with CSP.

OpenLayersWidget and OSMWidget load map tiles from NASA and OpenStreetMap,
respectively. When CSP is enabled, appropriate directives must be added to
allow these resources to load.

Note: See TracTickets for help on using tickets.
Back to Top