[Django] #35017: Template openlayers.html with inline script - Content-Security-Policy

[Django]

#35017: Template openlayers.html with inline script - Content-Security-Policy
-------------------------------------+-------------------------------------
               Reporter:  Matthieu   |          Owner:  nobody
  Marrast                            |
                   Type:             |         Status:  new
  Cleanup/optimization               |
              Component:  GIS        |        Version:  5.0
               Severity:  Normal     |       Keywords:  CSP, Content-
                                     |  Security-Policies, script, unsafe-
           Triage Stage:             |  inline, inline script
  Unreviewed                         |      Has patch:  0
    Needs documentation:  0          |    Needs tests:  0
Patch needs improvement:  0          |  Easy pickings:  0
                  UI/UX:  0          |
-------------------------------------+-------------------------------------
 The template **openlayers.html**
 
(https://github.com/django/django/blob/main/django/contrib/gis/templates/gis/openlayers.html)
 provides **inline script**:

 {{{
 <script>
         {% block base_layer %}
             var base_layer = new ol.layer.Tile({
                 source: new ol.source.XYZ({
                     attributions: "NASA Worldview",
                     maxZoom: 8,
                     url: "https://map1{a-c}.vis.earthdata.nasa.gov/wmts-
 webmerc/" +
 "BlueMarble_ShadedRelief_Bathymetry/default/%7BTime%7D/" +
                          "GoogleMapsCompatible_Level8/{z}/{y}/{x}.jpg"
                 })
             });
         {% endblock %}
         {% block options %}var options = {
             base_layer: base_layer,
             geom_name: '{{ geom_type }}',
             id: '{{ id }}',
             map_id: '{{ id }}_map',
             map_srid: {{ map_srid|unlocalize }},
             name: '{{ name }}'
         };
         {% endblock %}
         var {{ module }} = new MapWidget(options);
 </script>
 }}}

 So to make it works with Content-Security-Policies, we must add `script-
 src 'unsafe-inline'` in our HTTP response headers.
 This is not safe. Security and pentest tools raise alerts regarding this.

 Without this security policy, the map is not shown.

 References:
 - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/
 - https://www.w3.org/TR/CSP2/
 - https://www.w3.org/TR/CSP/
 - https://caniuse.com/#search=content+security+policy
 - https://content-security-policy.com/
 - https://github.com/shapesecurity/salvation
 -
 
https://developers.google.com/web/fundamentals/security/csp#policy_applies_to_a_wide_variety_of_resources

-- 
Ticket URL: <https://code.djangoproject.com/ticket/35017>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/0107018c3afb900e-9c9541c4-9d0e-4204-bb32-5966eb1367cc-000000%40eu-central-1.amazonses.com.