Regarding CSP, I'd like to point to this thread from a year ago, "Django and CSP strict-dynamic", https://groups.google.com/forum/#!topic/django-developers/n--RWhLAoYM. Unfortunately I haven't had time to follow through on it (yet?).
I think `strict-dynamic` provides an avenue for on-by-default CSP in Django with decent protection, however CSP Level 3 is still in "Working Draft" status it seems. -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CANeXs%3D3EP9RcGaFBBQ6Q3JPQaBNpaF7DzB9twBp-_cwjwYPncQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
