#36784: Add CSP support to Django's script object and media objects
--------------------------------+------------------------------------------
Reporter: Johannes Maron | Owner: Johannes Maron
Type: New feature | Status: assigned
Component: Forms | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------+------------------------------------------
Comment (by Natalia Bidart):
Replying to [comment:36 Johannes Maron]:
> Please don't take this the wrong way, and I didn't say this before, but
since we're here again, it feels fairly discouraging to have a
contribution hijacked that people committed a lot of time and effort to.
The support is applaudable, but I also see how first-time contributors
might be discouraged by this.
Thank you for raising this, I appreciate your honesty. From my view, I
think it would be important to consider the earlier comments and
proposals, as the current framing does not seem to fully reflect that. As
it stands, it comes across as somewhat incomplete, which I feel is a bit
unfair. My PR has been available and ready for review since March 24, as
part of the earlier proposal and follow-up discussion. That work involved
revisiting the initial design direction and refining it toward what I
believe is a more Django-idiomatic approach.
Timeline wise, on March 24th, I indicated on comment:23 that I had a draft
branch for an alternative approach and that I would take ownership to
polish it, explicitly inviting reviews. On March 25, I created a forum
post including a polished PR implementing that option. Given that
sequence, my PR was not intended as taking over someone else's work, but
rather continuing along the process of proposing, validating, and refining
solutions in the open, with concrete implementations to support
discussion.
Looking at the current PRs, there is clear alignment in direction
(explicit opt-in via template tag usage), but a notable difference in
architectural approach. One of the approaches on
[https://github.com/django/django/pull/20763/ PR #20763] in particular:
* Introduces tight coupling between forms/media and CSP, pulling a
request-specific concern (the nonce) into what is otherwise a static,
declarative API.
* Makes `Media` rendering nonce-aware with `render(nonce=...)`, making the
nonce receive special treatment in forms definitions, rather than
following Django's existing, generic attribute injection pattern.
* Bounds the solution to DTL internals and does not keep the path open for
other template engines.
From a process perspective, you are already a co-author on the
[https://github.com/django/django/pull/21010 PR #21010], and your work
done so far has directly contributed to moving this forward. The goal here
is to converge on the right design rather than competing implementations.
I would lean towards the option that minimizes coupling and keeps concerns
clearly separated.
Lastly, it would be very valuable to have your review on my PR, since it
would help ensure alignment on the current state, progress, and next
steps.
--
Ticket URL: <https://code.djangoproject.com/ticket/36784#comment:37>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/0107019df84a6141-c4fbbac4-424c-423c-beb7-0d3d3b8702c9-000000%40eu-central-1.amazonses.com.
