#36784: Add CSP support to Django's script object and media objects
--------------------------------+------------------------------------------
Reporter: Johannes Maron | Owner: Natalia Bidart
Type: New feature | Status: assigned
Component: Forms | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------+------------------------------------------
Comment (by Johannes Maron):
Replying to [comment:37 Natalia Bidart]:
> Timeline wise, on March 24th, I indicated on comment:23 that I had a
draft branch for an alternative approach and that I would take ownership
to polish it, explicitly inviting reviews. On March 25, I created a forum
post including a polished PR implementing that option. Given that
sequence, my PR was not intended as taking over someone else's work, but
rather continuing along the process of proposing, validating, and refining
solutions in the open, with concrete implementations to support
discussion.
Very kindly, I don't believe this is a healthy discussion that will lead
to a meaningful outcome.
I have reviewed your PR prior to posting the RFC to the steering council
and the security team but didn't leave any comments to be mindful of your
time. I will now do another thorough round.
> Introduces tight coupling between forms/media and CSP, pulling a
request-specific concern (the nonce) into what is otherwise a static,
declarative API.
I was aiming for specificity deliberately to minimize vulnerability
vectors. It is a security feature, and the ability to inject attributes to
static assets in the template is new.
> Makes Media rendering nonce-aware with render(nonce=...), making the
nonce receive special treatment in forms definitions, rather than
following Django's existing, generic attribute injection pattern.
Same as above.
> Bounds the solution to DTL internals and does not keep the path open for
other template engines.
Where though? Maybe we are talking about different code?
> Lastly, it would be very valuable to have your review on my PR, since it
would help ensure alignment on the current state, progress, and next
steps.
Thank you, I would have appreciated a review from you too.
--
Ticket URL: <https://code.djangoproject.com/ticket/36784#comment:39>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/0107019df86f6f02-caae4cd2-3b30-46c0-80c2-a9a04161e1d3-000000%40eu-central-1.amazonses.com.
