#36784: Add CSP support to Django's script object and media objects
--------------------------------+------------------------------------------
Reporter: Johannes Maron | Owner: Johannes Maron
Type: New feature | Status: assigned
Component: Forms | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
--------------------------------+------------------------------------------
Comment (by Johannes Maron):
Hi Jacob,
hm… I hoped to point to more cons than just security considerations in my
previous comment. If you are referring to my deliberation on the PR, yes,
that one is a little trickier.
I believe my point isn't "can we trust the context" (We don't; that's why
we're escaping template variables.) – It's rather, can we trust everyone
with the context? A radical example would be changing `__html__` to always
ingest the full context. I would consider this VERY unsafe (to an
injection attack). We should always explicitly limit the context, but
there are multiple ways to do it.
Unrelated to the context, my other concern was that you might not trust a
3rd party to use safe script sources. I may trust the package, but not its
supply chain. E.G., Django's GeoAdmin uses scripts from a CDN, which opens
the door to a supply chain attack. The automatic solution would be to
unknowingly trust those resources. It does go against the idea of CSP a
little, where you want to explicitly review and whitelist browser
resources.
My main concern with any solution is making any changes to the template
engine. Both Django and Jinja had their fair share of security
vulnerabilities in their early days. New code simply means a new
opportunity to screw up. I consider myself experienced enough to know that
I make mistakes :P
Lastly, yes, 6.1 would be great, since this has been a bit of a pain point
in multiple issues. But Django has thought of patience. ;)
Hi Tim,
Yes, that's why I emphasized the "people with deadlines" part. It should
be easy to do the right (secure) thing. Now we just need to figure out
what that is.
Cheers,
Joe
--
Ticket URL: <https://code.djangoproject.com/ticket/36784#comment:28>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/0107019d252fb11b-ecb28ebc-3f5d-4fc9-8480-6aa5203f94ff-000000%40eu-central-1.amazonses.com.
