Re CSP It's more or less fine to start using it. It needs a clean API for configuring it still but it's pretty solid.
However a newish feature that has been added is the ability to allow _some_ inline scripts but not all. This feature doesn't have widespread support yet sadly though. The other thing about CSP is that policies are defined per response. So a page that uses inline scripts could be allowed them while another page doesn't. On May 15, 2013, at 6:28 PM, Aymeric Augustin <aymeric.augus...@polytechnique.org> wrote: > On 14 mai 2013, at 02:36, Derek Payton <derek.pay...@gmail.com> wrote: > >> I have a working patch with tests and docs for #13978, which would add the >> ability to have inline JS and CSS in forms.Media. I feel that this ticket is >> a much better solution than, e.g., scattering the required inline media >> throughout your templates. However the issue was raised that this goes >> against the W3C's Content Security Policy. Per Julian's recommendation, I am >> bringing this here for consideration. >> >> Ticket: https://code.djangoproject.com/ticket/13978 > > > > Disclaimer: I'm certainly not the most qualified person when it comes to > frontend, but since this message didn't get an answer, here's one. > > > Hi Derek, > > https://github.com/dmpayton/django/commit/a676b609004863dd726332df865b9ead7487767e > looks fairly reasonable to me. > > CSP doesn't look ready for general consumption just yet, at least judging by > the two first lines of django-csp's docs: >> Content-Security-Policy is a complicated header. There are many values you >> may need to tweak here. > >> It’s worth reading the latest CSP spec and making sure you understand it >> before configuring django-csp. > Different sites have different security requirements, for instance a site > where only admins can edit stuff is generally immune to XSS. I don't think > the existence of CSP in its current state is a sufficient reason to reject > this ticket. > > A minor suggestion: InlineJS/CSS sounds even more explicit than > EmbeddedJS/CSS. > > I left a few other questions on GitHub. I don't expect a long answer, I just > want to make sure you've considered them. > > -- > Aymeric. > > -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-developers+unsubscr...@googlegroups.com. > To post to this group, send email to django-developers@googlegroups.com. > Visit this group at http://groups.google.com/group/django-developers?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at http://groups.google.com/group/django-developers?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
