id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
36825	CSP nonces are not applied in the Django admin	Carsten Fuchs		"When a Content Security Policy is configured in `settings.py` with directives that require script nonces, for example:

{{{
#!python
SECURE_CSP = {
    ""object-src"": [CSP.NONE],
    ""base-uri"": [CSP.NONE],
    ""script-src"": [CSP.NONCE, CSP.STRICT_DYNAMIC],
}
}}}

the Django admin interface stops working because the linked scripts used by the admin do not receive a nonce, resulting in CSP violations.

**Expected behavior:**
When CSP nonces are enabled, the Django admin should either automatically apply nonces to its scripts, or there should be a documented and supported way to make the admin compatible with nonce-based CSP configurations.
"	Uncategorized	new	contrib.admin	6.0	Normal		CSP, nonce, admin		Unreviewed	0	0	0	0	0	0