#36825: CSP nonces are not applied in the Django admin
-------------------------------------+-------------------------------------
Reporter: Carsten Fuchs | Type:
| Uncategorized
Status: new | Component:
| contrib.admin
Version: 6.0 | Severity: Normal
Keywords: CSP, nonce, admin | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
When a Content Security Policy is configured in `settings.py` with
directives that require script nonces, for example:
{{{
#!python
SECURE_CSP = {
"object-src": [CSP.NONE],
"base-uri": [CSP.NONE],
"script-src": [CSP.NONCE, CSP.STRICT_DYNAMIC],
}
}}}
the Django admin interface stops working because the inline and linked
scripts used by the admin do not receive a nonce, resulting in CSP
violations.
**Expected behavior:**
When CSP nonces are enabled, the Django admin should either automatically
apply nonces to its scripts, or there should be a documented and supported
way to make the admin compatible with nonce-based CSP configurations.
--
Ticket URL: <https://code.djangoproject.com/ticket/36825>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/0107019b4c30a631-15d3cf2c-e458-4d5a-b8d7-b439e1c6fc76-000000%40eu-central-1.amazonses.com.
