>
> I agree; note however, that nonces are part of CSP Level 2, which is in
> "W3C Recommendation" status
Ah, I am not familiar with all these standards, thanks for clarifying.
The first part I think Django should be involved in in generating the nonce
> (a simple base64(os.random(16)) and makin
OK, so to refocus the issue:
Using CSP nonces requires the following: any
Hi Adam, thanks for your comments.
> Given that it's still a W3C draft I am not sure it should be added to
Django core yet.
I agree; note however, that nonces are part of CSP Level 2, which is in
"W3C Recommendation" status. Since support for nonces is a prerequisite for
any of this, I'll refo
Hi Ran
Given that it's still a W3C draft I am not sure it should be added to
Django core yet. I don't know of any official policy around what Django
implements versus the W3C spec levels though.
However it does seem that without a centralized solution for CSP nonces,
they won't be usable with thi
Hey,
I'd like to discuss how Django might encourage and ease the use of CSP in
the frontend. As Django is used more and more to drive complex web
applications, I think this is of interest. (I tried to keep this short, but
failed...).
# CSP background
CSP (Content Security Policy) is an elaborate
