Opened 3 weeks ago

Last modified 30 hours ago

#36825 assigned New feature

CSP nonces are not applied in the Django admin

Reported by: Carsten Fuchs Owned by: Kundan Yadav
Component: contrib.admin Version: 6.0
Severity: Normal Keywords: CSP, nonce, admin
Cc: Rob Hudson, Antoliny Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: yes
Easy pickings: no UI/UX: no

Description (last modified by Carsten Fuchs)

When a Content Security Policy is configured in settings.py with directives that require script nonces, for example:

SECURE_CSP = {
    "object-src": [CSP.NONE],
    "base-uri": [CSP.NONE],
    "script-src": [CSP.NONCE, CSP.STRICT_DYNAMIC],
}

the Django admin interface stops working because the linked scripts used by the admin do not receive a nonce, resulting in CSP violations.

Expected behavior:
When CSP nonces are enabled, the Django admin should either automatically apply nonces to its scripts, or there should be a documented and supported way to make the admin compatible with nonce-based CSP configurations.

Change History (14)

comment:1 by Carsten Fuchs, 3 weeks ago

Description: modified (diff)

comment:2 by Natalia Bidart, 3 weeks ago

Cc: Rob Hudson added
Triage Stage: UnreviewedAccepted
Type: UncategorizedNew feature

Hello Carsten!

Thank you for taking the time to create this report. I have confirmed your findings:

Content-Security-Policy: The page’s settings blocked a script (script-src-elem) at http://localhost:9000/static/admin/js/theme.js from being executed because it violates the following directive: “script-src 'strict-dynamic'” admin
Content-Security-Policy: The page’s settings blocked a script (script-src-elem) at http://localhost:9000/static/admin/js/nav_sidebar.js from being executed because it violates the following directive: “script-src 'strict-dynamic'”

I am accepting this ticket as a new feature for 6.1, subject to volunteer contributions, to add nonce-based CSP support in the admin. Would you like to work on a branch?

comment:3 by Carsten Fuchs, 3 weeks ago

Hello Natalia,

thanks for accepting the ticket. I’d love to help and I can try, but realistically this might land closer to Django 61.0 than 6.1 — I don’t know the admin codebase well enough to move that quickly. 🙂 So, no promises.

comment:4 by Kundan Yadav, 3 weeks ago

Owner: set to Kundan Yadav
Status: newassigned

comment:5 by Rob Hudson, 3 weeks ago

This is a subtle issue with regards to the nature of strict-dynamic.

The admin templates would need to add conditional nonce attributes to all script tags (both external and inline). For example:

Current (admin/base.html:9)

  <script src="{% static "admin/js/theme.js" %}"></script>

Should be:

  <script src="{% static "admin/js/theme.js" %}"{% if csp_nonce %} nonce="{{ csp_nonce }}"{% endif %}></script>

This would allow things to work in the following 4 scenarios. (Currently it seems Django 6.0 supports the first 3):

  1. when CSP middleware is not enabled (nonce is falsy, not added to header or script tags)
  2. when CSP is enabled without nonces (nonce not accessed, not added to header or script tags)
  3. when CSP uses nonces (nonce added to both tag and header)
  4. when CSP uses nonces with CSP.STRICT_DYNAMIC (nonce added to both tag and header)

The difference between 3 and 4 is that 3 would allow host-based allowlists and keyword allowlists to work. When CSP.STRICT_DYNAMIC, host-based allowlists and keyword (e.g. CSP.SELF) allowlists are ignored, so admin scripts would then require nonces.

Last edited 3 weeks ago by Rob Hudson (previous) (diff)

comment:6 by Antoliny, 3 weeks ago

Cc: Antoliny added

comment:8 by Natalia Bidart, 9 days ago

Needs documentation: set
Needs tests: set
Patch needs improvement: set

comment:9 by Kundan Yadav, 7 days ago

Needs tests: unset
Patch needs improvement: unset

comment:10 by Kundan Yadav, 3 days ago

Needs documentation: unset

comment:11 by Kundan Yadav, 32 hours ago

hey is there anything left or wrong in the pr ?

comment:12 by Jacob Walls, 31 hours ago

Patch needs improvement: set

in reply to:  11 ; comment:13 by Natalia Bidart, 31 hours ago

Replying to Kundan Yadav:

hey is there anything left or wrong in the pr ?

Hello Kundan, we appreciate your eagerness to contribute! Your branch is in the review queue and will be looked at when someone is available.

Please note that Django is a community driven project and we rely on volunteers to make not only code contributions, but also other contributions such as PR reviews. If you have any availability, please consider contributing in other areas apart from code. For more details, see https://docs.djangoproject.com/en/6.0/internals/contributing/new-contributors/.

Lastly, please make sure that your PR is of the highest quality possible, to avoid back and forth on issues that could have been caught by following the Contribution checklist.

in reply to:  13 comment:14 by Kundan Yadav, 30 hours ago

Replying to Natalia Bidart:

Replying to Kundan Yadav:

hey is there anything left or wrong in the pr ?

Hello Kundan, we appreciate your eagerness to contribute! Your branch is in the review queue and will be looked at when someone is available.

Please note that Django is a community driven project and we rely on volunteers to make not only code contributions, but also other contributions such as PR reviews. If you have any availability, please consider contributing in other areas apart from code. For more details, see https://docs.djangoproject.com/en/6.0/internals/contributing/new-contributors/.

Lastly, please make sure that your PR is of the highest quality possible, to avoid back and forth on issues that could have been caught by following the Contribution checklist.

i will not use llm and my next pr will be better than before

Note: See TracTickets for help on using tickets.
Back to Top