#36784: Add CSP support to Django's script object and media objects
--------------------------------+------------------------------------------
Reporter: Johannes Maron | Owner: Johannes Maron
Type: New feature | Status: assigned
Component: Forms | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
--------------------------------+------------------------------------------
Comment (by Johannes Maron):
== Request for Comment: CSP nonce in form media
**Goal:** We want to provide a way to render form media with CSP nonce
values (currently impossible).
There are multiple ways to go about this, all with their pros and cons. We
should put a strong emphasis on dev usability (for people with deadlines)
while weighing the security considerations (marked with an **(S)**).
Importantly, any approach (other than a tag) may set a precedent and must
be considered beyond the scope of this ticket.
I would kindly ask the steering council and the security team for an
official comment, including a short explanation for future reference.
=== Tag-based
{{{
{% with_nonce form.media %}
}}}
||= Pros =||= Cons =||
|| No changes to the template engine are required. || Requires updates to
admin templates & 3rd-party packages. ||
|| Consistent with current logic, that rendering is handled in tags, like
`csrf`. || Fairly code-intense in Django. ||
|| **(S)** Explicit choice to add nonce values to form media. || ||
=== Filter-based w/ explicit nonce
{{{
{% if csp_nonce %}
{{ form.media|with_nonce:csp_nonce }}
{% endif %}
<!-- or -->
{% if csp_nonce %}
{{ form.media|context:csp_nonce }}
{% endif %}
}}}
||= Pros =||= Cons =||
|| No changes to the template engine are required. || Requires updates to
admin templates & 3rd-party packages. ||
|| **(S)** Explicit choice to add nonce values to form media. || Requires
case handling to prevent `VariableDoesNotExist` in Django's admin and 3rd-
party packages. (The context processor needs to be added to a project.)
||
|| || Fairly complex template syntax, including branching. ||
=== Filter-based w/ implicit context
{{{
{{ form.media|with_nonce }}
<!-- or -->
{{ form.media|context:"csp_nonce" }}
}}}
||= Pros =||= Cons =||
|| **(S)** Explicit choice to add nonce values to form media. || Requires
updates to admin templates & 3rd-party packages. ||
|| A `context` filter would be reusable. || A `context` filter would be
reusable and requires some form of a public interface. ||
|| || **(S)** Requires changes to the template engines. Filters are
currently not context-aware. ||
=== Automatic injection (if nonce in context)
{{{
{{ form.media }}
}}}
||= Pros =||= Cons =||
|| No updates to existing templates required (incl. 3rd party). || **(S)**
No explicit opt-in `nonce` in form media. However, the context processor
and the nonce option in CSP need to be enabled. ||
|| Simple (as is) syntax. || **(S)** Requires a new "special" object that
gets rendered with a nonce. ||
=== Author's note
I have implemented all versions and don't have a strong preference. Tag-
based seems the most in line with Django's current idioms, yet I do like
the simplicity of the automatic approach. Both filter approaches come with
a fair bit of complexity for either Django or its users, which is why I,
personally, wouldn't endorse them. The tag-based implementation was my
first approach; however, it does require more new code than any other
solution (similar to CSRF).
--
Ticket URL: <https://code.djangoproject.com/ticket/36784#comment:25>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/0107019d2495d0e5-841ee651-a2c9-4b53-8e47-4d4c1207edc4-000000%40eu-central-1.amazonses.com.
