#15727: out of the box support for CSP would totally rock!
-----------------------------------------+----------------------
Reporter: db.pub.mail@… | Owner: nobody
Status: new | Milestone:
Component: HTTP handling | Version: 1.2
Resolution: | Keywords:
Triage Stage: Someday/Maybe | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 |
-----------------------------------------+----------------------
Changes (by lukeplant):
* component: Uncategorized => HTTP handling
* stage: Unreviewed => Someday/Maybe
Comment:
Having just read the specs now, it appears that for this to work you
cannot have inline scripts. From looking at django-csp, it appears there
is an option to re-enable inline scripts, but that would appear to
seriously limit the usefulness of the protection.
The disabling of inline scripts is problematic for us in a number of ways:
* Various places in the admin use inline scripts
* Lots of Django projects will use the pattern of using `{% url %}` inside
an inline javascript block in a template, even if the bulk of the
javascript is in a separate file. There have been
[http://groups.google.com/group/django-
developers/browse_thread/thread/d0faa1bfa62e8d6 discussions] recently
about how to improve this, but no conclusion yet.
If a CSP middleware is not compatible with either our killer app or many
third party apps, I'm afraid I don't share the enthusiasm of the reporter!
It isn't going to get much use in Django, and there wouldn't be much point
adding it. I should also note that due to the autoescaping feature of our
template language, we have a pretty good record with XSS. (Not that
additional security wouldn't be welcome, I'm just pointing out that it
isn't a special priority for us).
To mark 'Accepted' would really imply that we are going to do something
about the inline HTML in the admin and these other problems, which is
unlikely in all honesty, so I'm going to mark as Someday/Maybe instead,
although I'm also inclined towards Wontfix, because we need some
compelling reason why this should be in core rather than as an external
app like django-csp.
--
Ticket URL: <http://code.djangoproject.com/ticket/15727#comment:2>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
