[Django] #35692: form media elements should support emitting CSP nonces
11 views
Skip to first unread message
Django
Aug 19, 2024, 10:03:06 AM8/19/24
to django-...@googlegroups.com
#35692: form media elements should support emitting CSP nonces
--------------------------------+---------------------------------------
Reporter: László Károlyi | Type: New feature
Status: new | Component: Forms
Version: 4.2 | Severity: Normal
Keywords: csp | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------+---------------------------------------
Hello,
there is the django-csp Pypi module that makes the setting of a proper CSP
achievable in django. If one uses 'strict-dynamic' and a nonce per
request, all script tags (and eventually link/style tags) will need the
nonce emitted at render time.
I've already committed a change to django-debug-toolbar with this that is
now accepted: https://github.com/jazzband/django-debug-toolbar/pull/1975
In Django itself, the form media tags are generated in
`django/forms/widgets.py`:
https://github.com/django/django/blob/e0579ce27746b04a37cf43559df445068fd2a781/django/forms/widgets.py#L93
Respectively, the `render_js` and `render_css` methods are called.
The problem is, in order to emit the nonce, one needs the request object
that is not passed to the media object, since that contains the
`csp_nonce` variable. One possibility would be to fetch the current
request from the current thread which probably not a good idea in an async
environment. In the toolbar module, I simply look for a `csp_nonce` to see
if it's set, and render if it is.
This will lead to more issues down the line, so I request a change on
this. For the time being, it's only avoidable by rendering the media tags
manually.
--
Ticket URL: <https://code.djangoproject.com/ticket/35692>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--------------------------------+---------------------------------------
Reporter: László Károlyi | Type: New feature
Status: new | Component: Forms
Version: 4.2 | Severity: Normal
Keywords: csp | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------+---------------------------------------
Hello,
there is the django-csp Pypi module that makes the setting of a proper CSP
achievable in django. If one uses 'strict-dynamic' and a nonce per
request, all script tags (and eventually link/style tags) will need the
nonce emitted at render time.
I've already committed a change to django-debug-toolbar with this that is
now accepted: https://github.com/jazzband/django-debug-toolbar/pull/1975
In Django itself, the form media tags are generated in
`django/forms/widgets.py`:
https://github.com/django/django/blob/e0579ce27746b04a37cf43559df445068fd2a781/django/forms/widgets.py#L93
Respectively, the `render_js` and `render_css` methods are called.
The problem is, in order to emit the nonce, one needs the request object
that is not passed to the media object, since that contains the
`csp_nonce` variable. One possibility would be to fetch the current
request from the current thread which probably not a good idea in an async
environment. In the toolbar module, I simply look for a `csp_nonce` to see
if it's set, and render if it is.
This will lead to more issues down the line, so I request a change on
this. For the time being, it's only avoidable by rendering the media tags
manually.
--
Ticket URL: <https://code.djangoproject.com/ticket/35692>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Aug 19, 2024, 11:41:24 AM8/19/24
to django-...@googlegroups.com
#35692: form media elements should support emitting CSP nonces
--------------------------------+--------------------------------------
Reporter: László Károlyi | Owner: (none)
--------------------------------+--------------------------------------
Type: New feature | Status: closed
Component: Forms | Version: 4.2
Severity: Normal | Resolution: duplicate
Keywords: csp | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------+--------------------------------------
Changes (by Sarah Boyce):
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------+--------------------------------------
* resolution: => duplicate
* status: new => closed
Comment:
I might be wrong, but it feels like support for `strict-dynamic` is being
worked on in #15727
You might be able to work on this with `Refs #15727` but align this work
to any work being progressed as part of that ticket
--
Ticket URL: <https://code.djangoproject.com/ticket/35692#comment:1>
Django
Sep 2, 2024, 2:45:13 PM9/2/24
to django-...@googlegroups.com
#35692: form media elements should support emitting CSP nonces
--------------------------------+--------------------------------------
Reporter: László Károlyi | Owner: (none)
Type: New feature | Status: closed
Component: Forms | Version: 4.2
Severity: Normal | Resolution: duplicate
Keywords: csp | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------+--------------------------------------
Comment (by Rob Hudson):
--------------------------------+--------------------------------------
Reporter: László Károlyi | Owner: (none)
Type: New feature | Status: closed
Component: Forms | Version: 4.2
Severity: Normal | Resolution: duplicate
Keywords: csp | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------+--------------------------------------
I believe this issue is more about requesting that the
`django.forms.widget.Media` class have access to the `request` object so
that the `render_js` and `render_css` (or subclass) could use them to
render the tags with the `nonce`, which could be added independently of
the work in #15727.
--
Ticket URL: <https://code.djangoproject.com/ticket/35692#comment:2>
Django
Sep 2, 2024, 2:48:52 PM9/2/24
to django-...@googlegroups.com
#35692: form media elements should support emitting CSP nonces
--------------------------------+--------------------------------------
Reporter: László Károlyi | Owner: (none)
Type: New feature | Status: closed
Component: Forms | Version: 4.2
Severity: Normal | Resolution: duplicate
Keywords: csp | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------+--------------------------------------
Comment (by László Károlyi):
--------------------------------+--------------------------------------
Reporter: László Károlyi | Owner: (none)
Type: New feature | Status: closed
Component: Forms | Version: 4.2
Severity: Normal | Resolution: duplicate
Keywords: csp | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------+--------------------------------------
Replying to [comment:2 Rob Hudson]:
> I believe this issue is more about requesting that the
`django.forms.widget.Media` class have access to the `request` object so
that the `render_js` and `render_css` (or subclass) could use them to
render the tags with the `nonce`, which could be added independently of
the work in #15727.
Indeed, thanks. The issue is not a duplicate and hence it shouldn't have
`django.forms.widget.Media` class have access to the `request` object so
that the `render_js` and `render_css` (or subclass) could use them to
render the tags with the `nonce`, which could be added independently of
the work in #15727.
been closed. It is a separate problem.
--
Ticket URL: <https://code.djangoproject.com/ticket/35692#comment:3>
Reply all
Reply to author
Forward
0 new messages