Hi Adam, thanks for your comments. > Given that it's still a W3C draft I am not sure it should be added to Django core yet.
I agree; note however, that nonces are part of CSP Level 2, which is in "W3C Recommendation" status. Since support for nonces is a prerequisite for any of this, I'll refocus on just that part (in a separate message). After it's possible to handle the nonces, supporting strict-dynamic becomes possible. either in Django itself or in a third-party app. > However it does seem that without a centralized solution for CSP nonces, they won't be usable with third party apps as you found with django-debug-toolbar. Yes, this is the part where involvement from the framework is strictly required, I think. > So I'm wondering, is your code public? Not currently, I will polish it when I have time and publish it. However, as I said, it is very trivial, and doesn't do anything besides what I described in the post. > And do you think it is worth trying to merge into django-csp, or would it be better as a standalone app? It can certainly be added to django-csp, for visibility if nothing else, but in my opinion a standalone app would be nicer: 1. Whitelist policies and strict-dynamic are almost orthogonal; they cannot be combined in a single policy, since 'strict-dynamic' causes the whitelist directives in 'script-src' to be ignored. The django-csp configuration DSL is *mostly* useless for strict-dynamic. 2. I imagine a standalone package to have a simple "read short README, annotate <script> tags, enable & forget" workflow; integration in django-csp will drown that out and thus hinder adoption. It is famous that developers avoid policy-based security solutions, they are hard to configure and are disabled at the first sign of breakage. -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/01a783af-bcaa-4fce-907c-b54ee3d6df58%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
