Great ideas, James. I totally agree we shouldn't rest on our laurels, and love the goal of pushing things forwards. Overall, I'm not sure a DEP is needed: each of these things is fairly small and tightly scoped, can be implemented on its own, and provides value independent of the whole. That seems like a scenario where just a bunch of loosely-related PRs makes the most sense. Added bonus: many of these things would be fairly easy pickings for a new contributor. If you wanted, you could delegate/coordinate some of this, and help us get more folks involved as a bonus.
Some comments on specifics: On Tue, May 1, 2018 at 12:28 AM, James Bennett <[email protected]> wrote: > Content Security Policy > CSP is a tricky one. On the one hand, it's a tremendously effective defense against XSS. But, it's pretty tricky to get right: I've seen several sites struggle with a proper CSP config for years. It tends to be beyond the grasp of your classic one- or two-person dev team. When you get it wrong, it totally hoses your site. Most complex sites find they need to operate in report-only mode for a while and analyze the data before switching to enforce. And that requires a good reporting/analysis mechanism (something like report-uri.com, or a local equivalent). So all that to say: I highly support exploring this more, but it could be easy to turn CSP into a foot-gun. I don't think it's as easy as just shipping django-csp and calling it a day; we'd need to make sure it's not going to cause more problems than it solves. > Referrer-Policy > +1, this seems like a no-brainer. > Subresource integrity > The jury seems to still be out on the value of SRI (at least, in my corner of the security community). It has some serious problems with dynamic assets, and with externally-hosted tools like Google Analytics. I'm not convinced that the current spec is fully-baked enough for us to support. The admin's a special case since we tightly control what's shipped there; SRI-for-the-admin would be a nice, if incremental improvement. Preventing injection attacks in the admin is a very good thing :) CORS > Yup, another no-brainer. rel="noopener" > I'm not sure I get this one, might need to see what you come up with to understand the effect. > In my magical stretch-goal land, I'd also figure out a way to support > the pyup safety library[8] to scan for a requirements file and any > dependencies in setup.py, and warn if known-insecure versions are > specified. > This seems entirely doable! Of course, grappling with the various options for dependency management might make this.. less fun (https://xkcd.com/1987/ ). Jacob -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAK8PqJG-xF6zJXwrm-SBifUgTUtjd8_rrn_-2rO8AaDthbL9Jw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
