[Django] #35692: form media elements should support emitting CSP nonces

Mon, 19 Aug 2024 07:03:14 -0700 

#35692: form media elements should support emitting CSP nonces
--------------------------------+---------------------------------------
     Reporter:  László Károlyi  |                     Type:  New feature
       Status:  new             |                Component:  Forms
      Version:  4.2             |                 Severity:  Normal
     Keywords:  csp             |             Triage Stage:  Unreviewed
    Has patch:  0               |      Needs documentation:  0
  Needs tests:  0               |  Patch needs improvement:  0
Easy pickings:  0               |                    UI/UX:  0
--------------------------------+---------------------------------------
 Hello,

 there is the django-csp Pypi module that makes the setting of a proper CSP
 achievable in django. If one uses 'strict-dynamic' and a nonce per
 request, all script tags (and eventually link/style tags) will need the
 nonce emitted at render time.

 I've already committed a change to django-debug-toolbar with this that is
 now accepted: https://github.com/jazzband/django-debug-toolbar/pull/1975

 In Django itself, the form media tags are generated in
 `django/forms/widgets.py`:

 
https://github.com/django/django/blob/e0579ce27746b04a37cf43559df445068fd2a781/django/forms/widgets.py#L93

 Respectively, the `render_js` and `render_css` methods are called.

 The problem is, in order to emit the nonce, one needs the request object
 that is not passed to the media object, since that contains the
 `csp_nonce` variable. One possibility would be to fetch the current
 request from the current thread which probably not a good idea in an async
 environment. In the toolbar module, I simply look for a `csp_nonce` to see
 if it's set, and render if it is.

 This will lead to more issues down the line, so I request a change on
 this. For the time being, it's only avoidable by rendering the media tags
 manually.
-- 
Ticket URL: <https://code.djangoproject.com/ticket/35692>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/010701916af2c1f6-b17c9ce4-dbc0-4557-b208-e9198f161a43-000000%40eu-central-1.amazonses.com.

Reply via email to