Ticket #15727, dealing with adding support for the Content Security Policy header, was last updated with the suggestion that the one thing should be done is to make the admin site compatible by removing inline scripts.
I'd love to see this done, especially with the new design. I have done a similar job on my own django site so had a quick look at the admin. And it seems manageable, but I might be missing things due to naivety. I'm just looking for opinions before I start. I'm gonna try get a pull request together in the next day or two. There is not a huge amount of inline scripts and in general I see three problems to solve. 1) inline scripts to autofoucs a field when the page loads 2) inline scripts that pass data from django to javascript 3) scripts that use href="javascript" I'd propose solving as follows 1) use the autofocus attribute when creating the form. This will work for IE10+ http://caniuse.com/#feat=autofocus It can also be done by including a creating a few targeted one line js files and including instead of the inline. It just seems a lot of http overhead to save users of two old browsers having to click into a text input. 2) use <script type="application/json" technique instead. https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#HTML_entity_encoding Quick example from popup_response.html <script type="text/javascript"> {% if action == 'change' %} opener.dismissChangeRelatedObjectPopup(window, "{{ value|escapejs }}", "{{ obj|escapejs }}", "{{ new_value|escapejs }}"); {% elif action == 'delete' %} opener.dismissDeleteRelatedObjectPopup(window, "{{ value|escapejs }}"); {% else %} opener.dismissAddRelatedObjectPopup(window, "{{ value|escapejs }}", "{{ obj|escapejs }}"); {% endif %} </script> becomes <script type="application/json" id="popup_response_data"> { {% if action == 'change' %} "action": "change", "value": "{{ value|escapejs }}", "obj": "{{ obj|escapejs }}", "new_value": "{{ new_value|escapejs }}" {% elif action == 'delete' %} "action": "delete", "value": "{{ value|escapejs }}" {% else %} "action": "add", "value": "{{ value|escapejs }}", "obj": "{{ obj|escapejs }}" {% endif %} } </script> <script type="text/javascript" src="{% static "admin/js/popup_response.js" %}"></script> -popup_response.js /*global opener*/ (function() { var dataElement = document.getElementById('popup_response_data'); var jsonText = dataElement.textContent || dataElement.innerText; var initData = JSON.parse(jsonText); if (initData.action == 'change') { opener.dismissChangeRelatedObjectPopup(window, initData.value, initData.obj, initData.new_value); } else if (data.action == 'delete') { opener.dismissDeleteRelatedObjectPopup(window, initData.value); } else { opener.dismissAddRelatedObjectPopup(window, initData.value, initData.obj); } })(); 3) instead of hrefs pointing to javascript:void(0) change these to simply #javascriptvoid. Other places use code inline code in the javascript: href. These could be changed to use #javascriptvoid too and the code moved to a function that is linked to the element using jQuery or the addEvent method from core.js as appropriate. James -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CACgOoA9zk%3D-ZqN5cTjLFEL-LRL30uRMaQBYNCu-HJdAK9XUyZQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
