Re: Making the admin compatible with CSP

[Florian Apolloner]

On Saturday, September 26, 2015 at 4:41:55 AM UTC+2, Gavin Wahl wrote:
>
> >  which then only needs to go through the autoescape filter I think
>
> This is actually incorrect. 

Re: Making the admin compatible with CSP

[James Bligh]

Help would be greatly appreciated, first time contributor, not 100% sure what 
I’m doing.

Got stuck with the test suite over the week but back on track now.

There is a github repo here with my work [1]. The tests seem to be passing but 
I haven’t created any new ones.
What is the best approach a simple regression test against the views I’ve 
changed or would it be possible to have 
a test that checked any potential view in the admin and made sure there was no 
inline javascript
ie no script without a src tag unless it had a different type. The logic I can 
do, the all admin views is the bit I’m not sure about.

I also haven’t done the escaping the way you suggested, just coz the suggestion 
came in after I’d done the work but it’s an easy enough change.
Also haven’t removed all anchor links with javascript event.preventDefault 
calls which would me and Florian agreed would be nicer.
Haven’t done inline styles either, much less of them so should be easier task.
So work to do but would appreciate a review from someone who knows what they 
are doing.
James

[1] 
https://github.com/blighj/django/commit/ffc40d0cd904840ea77a34f640df2a3512a349db

> On 26 Sep 2015, at 03:41, Gavin Wahl  wrote:
> 
> I'm very interested in getting this into 1.10. I can devote some time to it 
> to help.
> 
> When I looked at it before, based on the time I had available, it didn't seem 
> feasible for me to remove every single inline script. Especially with form 
> widgets that include templated javascript. Instead I was looking at the two 
> ways to whitelist scripts with CSP, namely script-nonce and script hash 
> sources. The disadvantage with either of these approaches is that they need 
> to be integrated with the middleware adding the CSP header, to communicate 
> the current page nonce or the list of hashes. script-nonces also totally 
> destroy caching, because each response has to have a unique nonce that's 
> referenced by each inline script. 
> 
> Ideally django admin would just be compatible with whatever CSP header the 
> user wants, without any specific integration, so removing all inline scripts 
> and styles is certainly preferable if you have the time.
> 
> >  Oh, btw please do not handwrite JSON in templates, 
> 
> Absolutely, the view should build a data structure representing the data to 
> be encoded as JSON rather than templating it.
> 
> >  which then only needs to go through the autoescape filter I think
> 
> This is actually incorrect. 

Fellow Report - September 26, 2015

[Tim Graham]

Report for week ending September 26, 2015:

Triaged

---

https://code.djangoproject.com/ticket/25441 - Add support for negative 
filesize to filesizeformat template filter (accepted)

https://code.djangoproject.com/ticket/25434 - Missing documentation for 
request.site attribute (accepted)

https://code.djangoproject.com/ticket/25421 - Twice run tests with --keepdb 
option in Oracle fails (accepted)

https://code.djangoproject.com/ticket/25442 - RunSQL migration is run twice 
(and once for real with "--fake") (invalid)

https://code.djangoproject.com/ticket/25447 - Emphasize the need to restart 
dev server when adding template tags (fixed)

https://code.djangoproject.com/ticket/25450 - HostnameField (Feature 
request) (won’t fix)

https://code.djangoproject.com/ticket/25455 - optimization dictfetchall in 
documentation (fixed)

https://code.djangoproject.com/ticket/25460 - Inconsistent behaviour from 
TimestampSigner with two different separators (invalid)

https://code.djangoproject.com/ticket/25456 - Make GenericIPAddressField 
normalize IPv4 addresses (accepted)

Authored



https://github.com/django/django/pull/5344 - Fixed #25410 -- Fixed empty 
ClearableFileInput crash on Python 2.

https://github.com/django/django/pull/5353 - Fixed #25451 -- Added advice 
about organizing tests.

https://github.com/django/django/pull/5357 - Removed redundancy in 
admin_changelist tests.

https://github.com/django/django/pull/5358 - Fixed #25462 -- Removed 
Model.__unicode__() in favor of @python_2_unicode_compatible.

https://github.com/django/django/pull/5360 - Fixed #25376 -- Required 
virtualenv in installation instructions.

https://github.com/django/django/pull/5366 - Fixed #25466 -- Added 
backwards compatibility aliases for LoaderOrigin and StringOrigin.

https://github.com/django/django/pull/5368 - Fixed #24323 -- Documented 
@admin.register can't be used with super(Admin in __init__().

https://github.com/django/code.djangoproject.com/pull/59 - Added a warning 
for Trac accounts without an email address.
https://github.com/django/djangoproject.com/pull/524 - Added missing mocks 
in fundraising tests.

Reviewed/committed

--

https://github.com/django/django/pull/5123 - Fixed #12856 -- Documented 
BoundField API.

https://github.com/django/django/pull/5319 - Fixed #24688 -- Added Oracle 
support for new-style GIS functions.

https://github.com/django/django/pull/4883 - Fixed #15760 -- Added 
JavaScript events for admin inline forms.

https://github.com/django/django/pull/5285 - Fixed #25373 -- Added warning 
logging for exceptions during {% include %} tag rendering.

https://github.com/django/django/pull/5343 - Fixed #25407 -- Removed 
network dependency in GeoIP tests.

https://github.com/django/django/pull/5352 - Fixed #25457 -- Improved 
formatting of password validation errors in management command output.

https://github.com/django/django/pull/5068 - Fixed #25196 -- Normalized 
database representations in test database messages.

https://github.com/django/django/pull/5362 - Fixed #25421 -- Fixed test 
--keepdb option on Oracle.

Reviews of core dev work



https://github.com/django/django/pull/5316 - Fixed #25431 -- Removed 
foreign key exclusion in ModelForm._post_clean() self.instance construction.

https://github.com/django/django/pull/5318 - Fixed #22341 -- Split 
django.db.models.fields.related

https://github.com/django/django/pull/5330 - Fixed #24921 -- Allowed ORM 
write queries after set_autocommit(False).

https://github.com/django/django/pull/5324 - Fixed #24509 -- Added 
Expression support to SQLInsertCompiler

https://github.com/django/django/pull/5365 - Merged serializers_regress 
with serializers tests
https://github.com/django/django/pull/5367 - Fixed #25468 -- Made 
DjangoJSONEncoder lazy string aware

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at http://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/4c3b0852-88cc-42b8-9bdc-c876387340cb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.