id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
36549	OpenLayersWidget needs custom CSP rules when CSP is enabled	Natalia Bidart	David Smith	"When using a `OpenLayersWidget` (for example via the `GISModelAdmin`), which declares custom javascript and css resoures, and if the CSP middleware is enabled with a commonly secure rule, the JS and CSS resources are blocked. Full description can be seen here https://forum.djangoproject.com/t/csp-and-geodjango/41879.

We need to, at least, mention this in the geodjango docs, likely in the https://docs.djangoproject.com/en/5.2/ref/contrib/gis/forms-api/ section, extending the existing paragraph:

> OpenLayersWidget and OSMWidget use the ol.js file hosted on the cdn.jsdelivr.net content-delivery network. You can subclass these widgets in order to specify your own version of the ol.js file in the js property of the inner Media class (see Assets as a static definition).

This is a release blocker for 6.0. If we are only doing the docs change, it has to land before release candidate (i.e. before string freeze)"	Bug	closed	GIS	dev	Release blocker	fixed		Rob Hudson Claude Paroz	Ready for checkin	1	0	0	0	0	0