On 14 mai 2013, at 02:36, Derek Payton <[email protected]> wrote:
> I have a working patch with tests and docs for #13978, which would add the > ability to have inline JS and CSS in forms.Media. I feel that this ticket is > a much better solution than, e.g., scattering the required inline media > throughout your templates. However the issue was raised that this goes > against the W3C's Content Security Policy. Per Julian's recommendation, I am > bringing this here for consideration. > > Ticket: https://code.djangoproject.com/ticket/13978 Disclaimer: I'm certainly not the most qualified person when it comes to frontend, but since this message didn't get an answer, here's one. Hi Derek, https://github.com/dmpayton/django/commit/a676b609004863dd726332df865b9ead7487767e looks fairly reasonable to me. CSP doesn't look ready for general consumption just yet, at least judging by the two first lines of django-csp's docs: > Content-Security-Policy is a complicated header. There are many values you > may need to tweak here. > It’s worth reading the latest CSP spec and making sure you understand it > before configuring django-csp. > Different sites have different security requirements, for instance a site where only admins can edit stuff is generally immune to XSS. I don't think the existence of CSP in its current state is a sufficient reason to reject this ticket. A minor suggestion: InlineJS/CSS sounds even more explicit than EmbeddedJS/CSS. I left a few other questions on GitHub. I don't expect a long answer, I just want to make sure you've considered them. -- Aymeric. -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
