[Django] #25706: Support CSP default-src 'self' on Django Admin GIS
Django
-------------------------------+--------------------
Reporter: graingert | Owner: nobody
Type: Uncategorized | Status: new
Component: Uncategorized | Version: 1.8
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------
Currently there's work to comply with Content-Security-Policy: default-src
'self' on the base admin.
It's going to require further re-factoring to apply the same to django GIS
This change will also require the addition of Selenium tests for the
Django
--
Ticket URL: <https://code.djangoproject.com/ticket/25706>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: graingert | Owner: nobody
Type: Uncategorized | Status: new
Component: Uncategorized | Version: 1.8
Keywords: CSP inline | Triage Stage:
javascript | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by graingert):
* keywords: => CSP inline javascript
* needs_better_patch: => 0
* needs_tests: => 0
* needs_docs: => 0
Old description:
> Currently there's work to comply with Content-Security-Policy: default-
> src 'self' on the base admin.
>
> It's going to require further re-factoring to apply the same to django
> GIS
>
> This change will also require the addition of Selenium tests for the
> Django
New description:
Currently there's work (https://github.com/django/django/pull/5567) to
comply with Content-Security-Policy: default-src 'self' on the base admin.
It's going to require further re-factoring to apply the same to django GIS
This change will also require the addition of Selenium tests for the
Django
See also #15727
--
--
Ticket URL: <https://code.djangoproject.com/ticket/25706#comment:1>
Django
Reporter: graingert | Owner: nobody
Type: Uncategorized | Status: new
Component: Uncategorized | Version: 1.8
Keywords: CSP inline | Triage Stage:
javascript | Unreviewed
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Description changed by graingert:
Old description:
> Currently there's work (https://github.com/django/django/pull/5567) to
> comply with Content-Security-Policy: default-src 'self' on the base
> admin.
>
> It's going to require further re-factoring to apply the same to django
> GIS
>
> This change will also require the addition of Selenium tests for the
> Django
>
> See also #15727
New description:
Currently there's work (https://github.com/django/django/pull/5567) to
comply with Content-Security-Policy: default-src 'self' on the base admin.
It's going to require further re-factoring to apply the same to django GIS
This change will also require the addition of Selenium tests for the
Django GIS Admin
See also #15727
--
--
Ticket URL: <https://code.djangoproject.com/ticket/25706#comment:2>
Django
Reporter: graingert | Owner: nobody
Type: Uncategorized | Status: new
Component: Uncategorized | Version: 1.8
Keywords: CSP inline | Triage Stage:
javascript | Unreviewed
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Description changed by graingert:
Old description:
> Currently there's work (https://github.com/django/django/pull/5567) to
> comply with Content-Security-Policy: default-src 'self' on the base
> admin.
>
> It's going to require further re-factoring to apply the same to django
> GIS
>
> This change will also require the addition of Selenium tests for the
> Django GIS Admin
>
> See also #15727
New description:
Currently there's work (https://github.com/django/django/pull/5567) to
comply with Content-Security-Policy: default-src 'self' on the base admin.
It's going to require further re-factoring to apply the same to django GIS
This change will also require the addition of Selenium tests for the
Django Admin GIS UI
See also #15727
--
--
Ticket URL: <https://code.djangoproject.com/ticket/25706#comment:3>
Django
Reporter: graingert | Owner: nobody
Type: | Status: new
Cleanup/optimization |
Component: GIS | Version: master
Severity: Normal | Resolution:
Keywords: CSP inline | Triage Stage: Accepted
javascript |
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Changes (by timgraham):
* component: Uncategorized => GIS
* version: 1.8 => master
* type: Uncategorized => Cleanup/optimization
* stage: Unreviewed => Accepted
--
Ticket URL: <https://code.djangoproject.com/ticket/25706#comment:4>
Django
Reporter: graingert | Owner: nobody
Type: | Status: new
Cleanup/optimization |
Component: GIS | Version: master
Severity: Normal | Resolution:
Keywords: CSP inline | Triage Stage: Accepted
javascript |
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Comment (by claudep):
This [https://github.com/django/django/pull/7205 PR] does the job for the
GIS forms/widgets. I may need help for JS correctness...
--
Ticket URL: <https://code.djangoproject.com/ticket/25706#comment:5>
Django
Reporter: Thomas Grainger | Owner: nobody
Type: | Status: new
Cleanup/optimization |
Component: GIS | Version: dev
Severity: Normal | Resolution:
Keywords: CSP inline | Triage Stage: Accepted
javascript |
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Comment (by GitHub <noreply@…>):
In [changeset:"322a1a037d4d2f18744c5d1a1efc2e84d4c5e94b" 322a1a03]:
{{{
#!CommitTicketReference repository=""
revision="322a1a037d4d2f18744c5d1a1efc2e84d4c5e94b"
Refs #25706 - Removed inline JavaScript from OpenLayers template.
This allows setting a Content-Security-Policy HTTP header.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/25706#comment:6>
Django
Reporter: Thomas Grainger | Owner: Claude
Type: | Paroz
Cleanup/optimization | Status: assigned
Component: GIS | Version: dev
Severity: Normal | Resolution:
Keywords: CSP inline | Triage Stage: Accepted
javascript |
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Claude Paroz):
* owner: nobody => Claude Paroz
* status: new => assigned
--
Ticket URL: <https://code.djangoproject.com/ticket/25706#comment:7>
Django
Reporter: Thomas Grainger | Owner: Claude
Type: | Paroz
Cleanup/optimization | Status: assigned
Component: GIS | Version: dev
Severity: Normal | Resolution:
Keywords: CSP inline | Triage Stage: Accepted
javascript |
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Mariusz Felisiak <felisiak.mariusz@…>):
In [changeset:"44c24bf02835323d5418512ebe8e76166739ebf8" 44c24bf]:
{{{
#!CommitTicketReference repository=""
revision="44c24bf02835323d5418512ebe8e76166739ebf8"
Refs #25706 -- Removed inline CSS in the openlayers widget template.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/25706#comment:8>
Django
Reporter: Thomas Grainger | Owner: Claude
Type: | Paroz
Cleanup/optimization | Status: assigned
Component: GIS | Version: dev
Severity: Normal | Resolution:
Keywords: CSP inline | Triage Stage: Accepted
javascript |
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Mariusz Felisiak):
Claude, Is there anything left for this ticket 🤔 ?
--
Ticket URL: <https://code.djangoproject.com/ticket/25706#comment:9>
Django
Reporter: Thomas Grainger | Owner: Claude
Type: | Paroz
Cleanup/optimization | Status: assigned
Component: GIS | Version: dev
Severity: Normal | Resolution:
Keywords: CSP inline | Triage Stage: Accepted
javascript |
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Claude Paroz):
Absolutely, the challenge here is to remove any JS code from
`contrib/gis/templates/gis/openlayers.html` (and `openlayers-osm.html`),
which is currently defining the base map layer and instanciating the
MapWidget (with that layer in initializer options).
Any suggestion on how to proceed without losing customization capabilities
is warmly welcome!
--
Ticket URL: <https://code.djangoproject.com/ticket/25706#comment:10>
Django
Reporter: Thomas Grainger | Owner: Claude
Type: | Paroz
Cleanup/optimization | Status: assigned
Component: GIS | Version: dev
Severity: Normal | Resolution:
Keywords: CSP inline | Triage Stage: Accepted
javascript |
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Matthieu Marrast):
I opened the same issue : https://code.djangoproject.com/ticket/35017
(sorry for the duplicate)
I'm interested by a solution.
What is the problem with PR https://github.com/django/django/pull/7205 ?
--
Ticket URL: <https://code.djangoproject.com/ticket/25706#comment:11>
Django
Reporter: Thomas Grainger | Owner: Claude
Type: | Paroz
Cleanup/optimization | Status: assigned
Component: GIS | Version: dev
Severity: Normal | Resolution:
Keywords: CSP inline | Triage Stage: Accepted
javascript |
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Claude Paroz):
Replying to [comment:11 Matthieu Marrast]:
> What is the problem with PR https://github.com/django/django/pull/7205 ?
I would say the main problem is to replace the `base_layer` block which
was not present at the time of that patch, and still allow base layer
customization. It would probably imply specifying a custom js file
somewhere, but someone has to come with a good plan to put pieces in place
for that, with an upgrade path.
--
Ticket URL: <https://code.djangoproject.com/ticket/25706#comment:12>
Django
Reporter: Thomas Grainger | Owner: Claude
Type: | Paroz
Cleanup/optimization | Status: assigned
Component: GIS | Version: dev
Severity: Normal | Resolution:
Keywords: CSP inline | Triage Stage: Accepted
javascript |
Needs tests: 0 | Patch needs improvement: 0
Changes (by Claude Paroz):
Comment:
So I decided to bite the bullet once more and cook
[https://github.com/django/django/pull/18494 a new patch], giving up on
the backwards compatibility part, as I think it would be too hard to do
(unless someone suggests a reasonable deprecation path).
--
Ticket URL: <https://code.djangoproject.com/ticket/25706#comment:13>
Django
Reporter: Thomas Grainger | Owner: Claude
Type: | Paroz
Cleanup/optimization | Status: assigned
Component: GIS | Version: dev
Severity: Normal | Resolution:
Keywords: CSP inline | Triage Stage: Accepted
javascript |
Has patch: 1 | Needs documentation: 0
Changes (by Natalia Bidart):
* needs_better_patch: 0 => 1
Comment:
I haven't started a "full review" on this one but it would be helpful to
have the docs and JS tests passing to start with.
--
Ticket URL: <https://code.djangoproject.com/ticket/25706#comment:14>
Django
Reporter: Thomas Grainger | Owner: Claude
Type: | Paroz
Cleanup/optimization | Status: assigned
Component: GIS | Version: dev
Severity: Normal | Resolution:
Keywords: CSP inline | Triage Stage: Accepted
javascript |
Has patch: 1 | Needs documentation: 0
Changes (by Sarah Boyce):
* needs_better_patch: 1 => 0
--
Ticket URL: <https://code.djangoproject.com/ticket/25706#comment:15>
Django
Reporter: Thomas Grainger | Owner: Claude
Type: | Paroz
Cleanup/optimization | Status: assigned
Component: GIS | Version: dev
Severity: Normal | Resolution:
Keywords: CSP inline | Triage Stage: Accepted
javascript |
Has patch: 1 | Needs documentation: 0
Changes (by Sarah Boyce):
--
Ticket URL: <https://code.djangoproject.com/ticket/25706#comment:16>
Django
Reporter: Thomas Grainger | Owner: Claude
Type: | Paroz
Cleanup/optimization | Status: assigned
Component: GIS | Version: dev
Severity: Normal | Resolution:
Keywords: CSP inline | Triage Stage: Accepted
javascript |
Has patch: 1 | Needs documentation: 0
Changes (by Natalia Bidart):
Ticket URL: <https://code.djangoproject.com/ticket/25706#comment:17>
Django
Reporter: Thomas Grainger | Owner: Claude
Type: | Paroz
Cleanup/optimization | Status: assigned
Component: GIS | Version: dev
Severity: Normal | Resolution:
javascript | checkin
Changes (by Sarah Boyce):
--
Ticket URL: <https://code.djangoproject.com/ticket/25706#comment:18>
Django
Reporter: Thomas Grainger | Owner: Claude
Type: | Paroz
Component: GIS | Version: dev
Severity: Normal | Resolution: fixed
javascript | checkin
Has patch: 1 | Needs documentation: 0
Changes (by nessita <124304+nessita@…>):
* resolution: => fixed
* status: assigned => closed
Comment:
In [changeset:"f2f6046c0f92ff1faed057da0711ac478eef439c" f2f6046c]:
{{{#!CommitTicketReference repository=""
revision="f2f6046c0f92ff1faed057da0711ac478eef439c"
Fixed #25706 -- Refactored geometry widgets to remove inline JavaScript.
Refactored GIS-related JavaScript initialization to eliminate inline
scripts from templates. Added support for specifying a base layer using
the new `base_layer_name` attribute on `BaseGeometryWidget`, allowing
custom map tile providers via user-defined JavaScript.
As a result, the `gis/openlayers-osm.html` template was removed.
Thanks Sarah Boyce for reviews.
Co-authored-by: Natalia <124304+...@users.noreply.github.com>
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/25706#comment:19>
Django
Reporter: Thomas Grainger | Owner: Claude
Type: | Paroz
Cleanup/optimization | Status: closed
Component: GIS | Version: dev
Severity: Normal | Resolution: fixed
Keywords: CSP inline | Triage Stage: Ready for
javascript | checkin
Has patch: 1 | Needs documentation: 0
Comment (by nessita <124304+nessita@…>):
In [changeset:"0a262c8407a2f4e4971118ca435c6931c40b70ae" 0a262c84]:
{{{#!CommitTicketReference repository=""
revision="0a262c8407a2f4e4971118ca435c6931c40b70ae"
Fixed #36537 -- Ensured unique HTML IDs for geometry widget option scripts
in the admin.
This work amends the code from f2f6046c0f92ff1faed057da0711ac478eef439c
where multiple geometry widgets rendered `<script>` elements in the
admin with the same HTML `id`, resulting in invalid HTML and fragile
JavaScript selectors. Refs #25706.
This change uses the widget's textarea ID to generate a unique `id` for
each JSON options `<script>`, ensuring valid and robust markup.
Co-authored-by: Natalia <124304+...@users.noreply.github.com>
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/25706#comment:20>
Django
Reporter: Thomas Grainger | Owner: Claude
Type: | Paroz
Cleanup/optimization | Status: closed
Component: GIS | Version: dev
Severity: Normal | Resolution: fixed
Keywords: CSP inline | Triage Stage: Ready for
javascript | checkin
Has patch: 1 | Needs documentation: 0
Comment (by GitHub <noreply@…>):
{{{#!CommitTicketReference repository=""
revision="ad4a9e0f3b1de261409bc083aa49dba705531824"
Refs #25706 -- Fixed versionadded indentation in docs/ref/contrib/gis
/forms-api.txt.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/25706#comment:21>