[Django] #33363: Don’t load static assets from external servers
Django
------------------------------------------------+------------------------
Reporter: kmohrf | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: GIS | Version: 4.0
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
------------------------------------------------+------------------------
Hi,
I’ve noticed that the `django.contrib.gis` module, specifically:
*
[https://github.com/django/django/blob/main/django/contrib/gis/forms/widgets.py#L84
forms/widgets.py line 84]
*
[https://github.com/django/django/blob/main/django/contrib/gis/forms/widgets.py#L89
forms/widgets.py line 89]
* and
[https://github.com/django/django/blob/main/django/contrib/gis/admin/options.py#L64
admin/options.py line 64]
loads JavaScript and CSS files from Cloudflare CDN servers. I find this
very irritating and though
[https://docs.djangoproject.com/en/4.0/ref/contrib/gis/forms-
api/#django.contrib.gis.forms.widgets.OpenLayersWidget the documentation
mentions] that I’m free to override these assets myself I don’t think it’s
a good default for privacy nor service reliability to use third party
servers. I’ve noticed this myself because my project’s Content-Security-
Policy blocks cross origin hosts.
As far as I can see the sources are all released under the BSD license and
can probably be shipped along with Django. Is there any reason this hasn’t
been done and would you care for pull requests that include these
libraries as part of the static assets shipped with the
`django.contrib.gis` module?
Thank you for your time,
Konrad
--
Ticket URL: <https://code.djangoproject.com/ticket/33363>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: Konrad Mohrfeldt | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: GIS | Version: 4.0
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Carlton Gibson):
* stage: Unreviewed => Accepted
Comment:
OK, I think this is in line with other tickets to aid stricter CSPs.
--
Ticket URL: <https://code.djangoproject.com/ticket/33363#comment:1>
Django
--------------------------------------+------------------------------------
Reporter: Konrad Mohrfeldt | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: GIS | Version: 4.0
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--
Ticket URL: <https://code.djangoproject.com/ticket/33363#comment:2>
Django
--------------------------------------+------------------------------------
Reporter: Konrad Mohrfeldt | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: GIS | Version: 4.0
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Mariusz Felisiak):
* cc: Claude Paroz (added)
Comment:
I'm not sure about this, we will increase the size of Django by 1MB ~ 10%,
where many (most?) users don't use GIS.
--
Ticket URL: <https://code.djangoproject.com/ticket/33363#comment:3>
Django
--------------------------------------+------------------------------------
Reporter: Konrad Mohrfeldt | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: GIS | Version: 4.0
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Carlton Gibson):
Perhaps then a docs note spelling out more clearly what to do to provide
them locally? 🤔
--
Ticket URL: <https://code.djangoproject.com/ticket/33363#comment:4>
Django
--------------------------------------+------------------------------------
Reporter: Konrad Mohrfeldt | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: GIS | Version: 4.0
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Claude Paroz):
I'm with Mariusz here, not thrilled to vendor such "heavy" JS libs. In the
longer term, I guess that Django will not escape using some asset bundler,
which will be the proper fix.
--
Ticket URL: <https://code.djangoproject.com/ticket/33363#comment:5>
Django
-------------------------------------+-------------------------------------
Reporter: Konrad Mohrfeldt | Owner: nobody
Cleanup/optimization |
Component: GIS | Version: 4.0
Severity: Normal | Resolution: wontfix
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Carlton Gibson):
* status: new => closed
* resolution: => wontfix
* stage: Accepted => Unreviewed
Comment:
OK, I think that's two for `wontfix`. I suspect folks using strict CSP are
already used to vendoring dependencies themselves, so… — as ever, a
balance to tread.
--
Ticket URL: <https://code.djangoproject.com/ticket/33363#comment:6>