| 150 | | == Security: Bring CORS and CSP into core == |
| 151 | | |
| 152 | | || Difficulty || Medium |
| 153 | | || Size || 350hrs |
| 154 | | || Potential Mentors || TBC |
| 155 | | || Key Skills || HTTP request-response cycle, middleware, decorators |
| 156 | | |
| 157 | | There are third-party apps providing support for [https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS Cross-Origin Resource Sharing (CORS)] `django-cors-headers` and [https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP Content Security Policy (CSP)] `django-csp`, but it would be good to have support built-in to core. |
| 158 | | |
| 159 | | Following the design of the CSRF/clickjacking protection, having safe defaults, and allowing straightforward per-path customisation, via e.g. decorators, would improve the security of all Django projects. |
| 160 | | |
| 161 | | Outcome would be a pair of PRs adding these into Django. |
| 162 | | |
| 179 | | == Improve the Database Cache Backend == |
| 180 | | |
| 181 | | || Difficulty || Medium. |
| 182 | | || Size || 350hrs |
| 183 | | || Potential Mentors|| TBC |
| 184 | | || Key Skills || Cache Framework |
| 185 | | |
| 186 | | Setting up a shared cache backend is nearly always required, as many |
| 187 | | third-party packages assume the cache works like this (unlike the default |
| 188 | | locmemcache which is per process). DatabaseCache is the easiest such cache |
| 189 | | backend, not requiring any extra infra and working on shared hosts without a |
| 190 | | filesystem. But it could be better. |
| 191 | | |
| 192 | | Django-Mysql has had a much better DB cache backend implementation since 2015: https://adamj.eu/tech/2015/05/17/building-a-better-databasecache-for-django-on-mysql/ . This has never been adapted for the other supported databases but it should be fairly straightforward, mostly some translation of SQL to different dialects. |
| 193 | | |
| 194 | | Expected outcome would be a PR improvement database cache backend. |
| 195 | | |
| 196 | | As a stretch goal, it would also be nice to hook the database cache tables into |
| 197 | | migrations somehow rather than the current hacky duck typing approach: |
| 198 | | https://github.com/django/django/blob/64b3c413da011f55469165256261f406a277e822/django/core/cache/backends/db.py#L12-L28 ). |
| 211 | | == Configurable Content Type Parsing == |
| 212 | | |
| 213 | | || Difficulty || Medium. |
| 214 | | || Size || 350hrs |
| 215 | | || Potential Mentors || TBC |
| 216 | | || Key Skills || HTTP request-response cycle |
| 217 | | |
| 218 | | For Django 5.0 we're looking to modernize the `HTTPRequest` object, adding a content-type aware `request.data` property. This will parse `request.body` according to the content type. |
| 219 | | |
| 220 | | The initial phase — targeted for before GSoC — will add `request.data` and add support for JSON body handling, but the next phase is to make that fully pluggable with custom parsers. |
| 221 | | |
| 222 | | - Add a list of parsers to the request object, that can be customised — in a middleware for example — at any point prior to accessing `request.data`. |
| 223 | | - Parsers should implement a `can_handle(content_type) -> Bool` method. The first parser returning True will be selected to parse the `request.body`. |
| 224 | | |
| 225 | | Expected outcome is a PR allowing configurable content type parsing. |
| 226 | | |
| 227 | | |