I created a draft proposal GSOC Proposal [Security: Bring CORS and CSP into core] - Google Docs 3 <https://docs.google.com/document/d/1FtDyKncMU-Ek07kmDqEgvsBK85PxBLtrQxdnMGQqPGE/edit?usp=sharing> I would be glad if you could review it once [image: :smile:] Some key notes on the proposal:
1. CSP is to be added to SecurityMiddleware as suggested by @timgraham <https://forum.djangoproject.com/u/timgraham> in his closing notes on PR-5776 <https://github.com/django/django/pull/5776#issuecomment-163002994>. I will be following the design of Referrer Policy and implementing some extra features such as nonce context processor. 2. A doubt that I had is since CSP consists of a number of directives so will creating settings attributes for each one of them be a valid option or we can stick to the proposed way of declaring it in a single comma separated string as done with Referrer Policy. 3. Currently this proposal proposes CORS to be implemented via the addition of CORSMiddleware but I was thinking if implementing CORS into SecurityMiddleware would be the right way or not? 4. Also since I propose to add CSP to SecurityMiddleware we would have to create SecurityMiddleware._make_nonce(request), I don’t know if this breaks the design of SecurityMiddleware. The mock implementation of CSP in SecurityMiddleware can be seen here CSP mock implementation <https://docs.google.com/document/d/1FtDyKncMU-Ek07kmDqEgvsBK85PxBLtrQxdnMGQqPGE/edit#heading=h.6p5wog1y0xqk> . 5. Decorators will be added to both CORS and CSP with CORS having 3 decorators and CSP having 4 decorators. -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/03a6602d-9f95-46be-9dc0-39f841bcd9bcn%40googlegroups.com.
