Any thoughts on content security policy / django-csp? #34
Comments
|
Yep, that's definitely something I'm interested in pursuing. Do you have a working solution you could share, or at the very least some snippets showing how the output would/should look like? |
|
I'm afraid not. Looks like django-csp adds And then for any instance of (in this case) <script> you want to do something like this: However the request context is not automatically propagated down to the widget initialization. |
|
(Dumping links) I think django-csp-helpers has an interesting idea on how to implement something like this: I have looked at overriding media classes to support additional attributes but this hasn't gone too far yet, but here's the pull request which would enable us to add our own Also, here's a DEP draft which I haven't found the time to work on a lot yet: I have generated some code yesterday for django-js-asset: |
When I migrated from 0.11a11 to .11b4 I had to mess around with content security policy hashes for the importmap added the django admin page. (Was this added in the refactoring?...)
We are using the django-cps package for reference. (version 3.8).
Of course to just get things working, we just add the required CPS hash to the headers of each response. (Handled by django-cps configuration)
However since you are working on django_js_assets: Maybe one could make it interact with django-cps and add the correct nounce to the script-tag containing importmap.
The text was updated successfully, but these errors were encountered: