Re: [Django] #36784: Add CSP support to Django's script object and media objects

[Django]

#36784: Add CSP support to Django's script object and media objects
--------------------------------+------------------------------------------
     Reporter:  Johannes Maron  |                    Owner:  Johannes Maron
         Type:  New feature     |                   Status:  assigned
    Component:  Forms           |                  Version:  6.0
     Severity:  Normal          |               Resolution:
     Keywords:                  |             Triage Stage:  Accepted
    Has patch:  1               |      Needs documentation:  0
  Needs tests:  0               |  Patch needs improvement:  1
Easy pickings:  0               |                    UI/UX:  0
--------------------------------+------------------------------------------
Comment (by Jacob Walls):

 I just made an initial review of the
 [https://github.com/django/django/pull/21010 PR that was announced on that
 forum thread]. It follows option 1, the template-tag approach. The code is
 not very involved. IMO, among the "cons" from Joe's table in comment:25,
 all that leaves are the updates needed in 3rd party packages, which is
 spun as a "pro" (manual review) by some on the forum thread.

 In other words, I think the PR looks very good. I left small questions.

 Returning to this earlier aside:

 > I believe my point isn't "can we trust the context" (We don't; that's
 why we're escaping template variables.)

 My point was that we should be able to trust that the context does not
 contain unexpected, arbitrary key-value pairs. (That is to say, we would
 not expect an attacker would be able to get `{"csp_nonce": "evil"}` into
 the context somehow.) That's different from acknowledging that the DTL
 auto-HTML-escapes template variables. Does that sound right?

 (I'd also be very happy to see additional reviews on the above PR!)
-- 
Ticket URL: <https://code.djangoproject.com/ticket/36784#comment:31>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion visit 
https://groups.google.com/d/msgid/django-updates/0107019dd61fd32a-1ee6a1c9-25e8-47cd-a69c-3eb932675d16-000000%40eu-central-1.amazonses.com.