Re: [Django] #36825: CSP nonces are not applied in the Django admin

[Django]

#36825: CSP nonces are not applied in the Django admin
-----------------------------------+--------------------------------------
     Reporter:  Carsten Fuchs      |                    Owner:  (none)
         Type:  Uncategorized      |                   Status:  new
    Component:  contrib.admin      |                  Version:  6.0
     Severity:  Normal             |               Resolution:
     Keywords:  CSP, nonce, admin  |             Triage Stage:  Unreviewed
    Has patch:  0                  |      Needs documentation:  0
  Needs tests:  0                  |  Patch needs improvement:  0
Easy pickings:  0                  |                    UI/UX:  0
-----------------------------------+--------------------------------------
Description changed by Carsten Fuchs:

Old description:

> When a Content Security Policy is configured in `settings.py` with
> directives that require script nonces, for example:
>
> {{{
> #!python
> SECURE_CSP = {
>     "object-src": [CSP.NONE],
>     "base-uri": [CSP.NONE],
>     "script-src": [CSP.NONCE, CSP.STRICT_DYNAMIC],
> }
> }}}
>
> the Django admin interface stops working because the inline and linked
> scripts used by the admin do not receive a nonce, resulting in CSP
> violations.
>
> **Expected behavior:**
> When CSP nonces are enabled, the Django admin should either automatically
> apply nonces to its scripts, or there should be a documented and
> supported way to make the admin compatible with nonce-based CSP
> configurations.

New description:

 When a Content Security Policy is configured in `settings.py` with
 directives that require script nonces, for example:

 {{{
 #!python
 SECURE_CSP = {
     "object-src": [CSP.NONE],
     "base-uri": [CSP.NONE],
     "script-src": [CSP.NONCE, CSP.STRICT_DYNAMIC],
 }
 }}}

 the Django admin interface stops working because the linked scripts used
 by the admin do not receive a nonce, resulting in CSP violations.

 **Expected behavior:**
 When CSP nonces are enabled, the Django admin should either automatically
 apply nonces to its scripts, or there should be a documented and supported
 way to make the admin compatible with nonce-based CSP configurations.

--
-- 
Ticket URL: <https://code.djangoproject.com/ticket/36825#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion visit 
https://groups.google.com/d/msgid/django-updates/0107019b4c506793-29adcf3a-3578-4375-8242-933d55b32cd6-000000%40eu-central-1.amazonses.com.