I'm very interested in getting this into 1.10. I can devote some time to it to help.
When I looked at it before, based on the time I had available, it didn't seem feasible for me to remove every single inline script. Especially with form widgets that include templated javascript. Instead I was looking at the two ways to whitelist scripts with CSP, namely script-nonce and script hash sources. The disadvantage with either of these approaches is that they need to be integrated with the middleware adding the CSP header, to communicate the current page nonce or the list of hashes. script-nonces also totally destroy caching, because each response has to have a unique nonce that's referenced by each inline script. Ideally django admin would just be compatible with whatever CSP header the user wants, without any specific integration, so removing all inline scripts and styles is certainly preferable if you have the time. > Oh, btw please do not handwrite JSON in templates, Absolutely, the view should build a data structure representing the data to be encoded as JSON rather than templating it. > which then only needs to go through the autoescape filter I think This is actually incorrect. <script> tags in HTML5 are Raw Text elements, so Django's autoescaping doesn't work because HTML entities are not decoded inside Raw Text elements [1]. I use the json filter from django-argonauts[2] in all my projects to do json encoding. [1]: http://www.w3.org/TR/html5/syntax.html#raw-text-elements [2]: https://github.com/fusionbox/django-argonauts#filter -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/087a439b-0933-43a3-a4ae-e55182d33ca2%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
