#36784: Add CSP support to Django's script object and media objects
--------------------------------+-----------------------------------------
Reporter: Johannes Maron | Type: Uncategorized
Status: new | Component: Forms
Version: 6.0 | Severity: Normal
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------+-----------------------------------------
Django 5.2 added official support for a script object in media classes
#35886
However, the introduction of CSP's nonce-function in Django 6.0 seems to
have overlooked both old form media rendering and the script-object.
Furthermore, the template processor-based approach currently doesn't
provide practical solution of object based media assets.
I'd suggest updating the media class and tag-rendering to include a nonce
values by default, or the least an opt-in that doesn't require the request
context in during form definition.
If there already is an easy way to add nonce-values to form media, I'd
suggest that we add a few lines of documentation for the next developer
looking for it.
--
Ticket URL: <https://code.djangoproject.com/ticket/36784>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/0107019afeda32a0-1e379ec8-73b8-4371-a812-d6ed5d623d1f-000000%40eu-central-1.amazonses.com.
