#36825: CSP nonces are not applied in the Django admin
-----------------------------------+------------------------------------
Reporter: Carsten Fuchs | Owner: (none)
Type: New feature | Status: new
Component: contrib.admin | Version: 6.0
Severity: Normal | Resolution:
Keywords: CSP, nonce, admin | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------------+------------------------------------
Changes (by Natalia Bidart):
* cc: Rob Hudson (added)
* stage: Unreviewed => Accepted
* type: Uncategorized => New feature
Comment:
Hello Carsten!
Thank you for taking the time to create this report. I have confirmed your
findings:
{{{
Content-Security-Policy: The page’s settings blocked a script (script-src-
elem) at http://localhost:9000/static/admin/js/theme.js from being
executed because it violates the following directive: “script-src 'strict-
dynamic'” admin
Content-Security-Policy: The page’s settings blocked a script (script-src-
elem) at http://localhost:9000/static/admin/js/nav_sidebar.js from being
executed because it violates the following directive: “script-src 'strict-
dynamic'”
}}}
I am accepting this ticket as a new feature for 6.1, subject to volunteer
contributions, to add nonce-based CSP support in the admin. Would you like
to work on a branch?
--
Ticket URL: <https://code.djangoproject.com/ticket/36825#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/0107019b4c5528bf-05524c06-3aa0-4bcd-ad7b-4a25a38d4eaf-000000%40eu-central-1.amazonses.com.
