Re: [Django] #36784: Add CSP support to Django's script object and media objects

Wed, 10 Dec 2025 01:56:46 -0800 

#36784: Add CSP support to Django's script object and media objects
--------------------------------+------------------------------------
     Reporter:  Johannes Maron  |                    Owner:  (none)
         Type:  New feature     |                   Status:  new
    Component:  Forms           |                  Version:  6.0
     Severity:  Normal          |               Resolution:
     Keywords:                  |             Triage Stage:  Accepted
    Has patch:  0               |      Needs documentation:  0
  Needs tests:  0               |  Patch needs improvement:  0
Easy pickings:  0               |                    UI/UX:  0
--------------------------------+------------------------------------
Comment (by Pravin):

 Any thoughts on below failing testcase for above behaviour ?

 {{{
 from django.test import SimpleTestCase, override_settings
 from django.forms import Form
 from django.template import Context, Template
 from django.utils.csp import CSP

 class FormWithJsMedia(Form):
     class Media:
         js = ["path/to/js_file.js"]

 @override_settings(
     STATIC_URL="/static/",
     MIDDLEWARE=[
         "django.middleware.security.SecurityMiddleware",
         "django.middleware.csp.ContentSecurityPolicyMiddleware",
     ],
     TEMPLATES=[{
         "BACKEND": "django.template.backends.django.DjangoTemplates",
         "APP_DIRS": True,
         "OPTIONS": {
             "context_processors": [
                 "django.template.context_processors.request",
                 "django.template.context_processors.csp",
             ],
         },
     }],
     SECURE_CSP={
         "default-src": [CSP.SELF],
         "script-src": [CSP.SELF, CSP.NONCE],
     }
 )
 class CSPMediaTest(SimpleTestCase):
     def test_form_media_js_missing_nonce(self):
         form = FormWithJsMedia()
         tpl = Template("{% load static %}{{ form.media }}")
         rendered = tpl.render(Context({"form": form}))
         self.assertIn('<script src="/static/path/to/js_file.js">',
 rendered)
         self.assertIn('nonce="', rendered)

 }}}
-- 
Ticket URL: <https://code.djangoproject.com/ticket/36784#comment:4>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion visit 
https://groups.google.com/d/msgid/django-updates/0107019b07b0fd7c-f18e0a01-75f0-44d3-a28c-93f833b78811-000000%40eu-central-1.amazonses.com.

Reply via email to