Opened 4 days ago
Last modified 4 days ago
#36825 assigned New feature
CSP nonces are not applied in the Django admin — at Initial Version
| Reported by: | Carsten Fuchs | Owned by: | |
|---|---|---|---|
| Component: | contrib.admin | Version: | 6.0 |
| Severity: | Normal | Keywords: | CSP, nonce, admin |
| Cc: | Rob Hudson, Antoliny | Triage Stage: | Accepted |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
When a Content Security Policy is configured in settings.py with directives that require script nonces, for example:
SECURE_CSP = { "object-src": [CSP.NONE], "base-uri": [CSP.NONE], "script-src": [CSP.NONCE, CSP.STRICT_DYNAMIC], }
the Django admin interface stops working because the inline and linked scripts used by the admin do not receive a nonce, resulting in CSP violations.
Expected behavior:
When CSP nonces are enabled, the Django admin should either automatically apply nonces to its scripts, or there should be a documented and supported way to make the admin compatible with nonce-based CSP configurations.
Note:
See TracTickets
for help on using tickets.