Proposal to merge django-csp into contrib

[Thomas Grainger]

Now that the django admin supports the Content-Security-Policy header I think merging django-csp into contrib would be a good fix for https://code.djangoproject.com/ticket/15727

It might also be an idea to wait for Mozilla to also respond to the proposal of this merger.

See my PR here: https://github.com/django/django/pull/5776

[Aymeric Augustin]

Hello Thomas,

On 5 déc. 2015, at 23:23, Thomas Grainger <tag...@gmail.com> wrote:

I think merging django-csp into contrib would be a good fix for https://code.djangoproject.com/ticket/15727 

I took a look at the pull request.

I understand that the “just merge django-csp” approach minimizes effort. However the result doesn’t feel well integrated with Django. I left a few comments that all boil down to “this isn’t how we would have done if we’d started from a clean slate” and quickly gave up when I noticed that trend.

Thinking in terms of “we have Django, how do we best implement CSP?” — and liberally looking for API ideas or code in django-csp, since its license allows that — will yield better results than merely transplanting django-csp in django.contrib. That’s usually how Django integrates third-party code.

Best regards,

-- 

Aymeric.

[Florian Apolloner]

On Sunday, December 6, 2015 at 10:13:46 AM UTC+1, Aymeric Augustin wrote:

I understand that the “just merge django-csp” approach minimizes effort. However the result doesn’t feel well integrated with Django. I left a few comments that all boil down to “this isn’t how we would have done if we’d started from a clean slate” and quickly gave up when I noticed that trend.

Ditto, I'd like to see this in core and as part of SecurityMiddleware.

[Thomas Grainger]

Yeah this makes a lot more sense in SecurityMiddleware

[Robert Roskam]

Hey All,

So it's over a year later, and even though there is consensus, this ticket (https://code.djangoproject.com/ticket/15727) appears to have had no progress.

Would it be OK if someone else were to pick up this ticket and move it forward?

Robert Roskam

[Tim Graham]

Yes, if a ticket goes weeks or months without activity, it's unlikely someone is working on it, so it's fine to reassign.

[Robert Roskam]

OK, I'll probably hold off for a little bit just in case someone else wants it. But I'll probably have some time soon to work on it.

Robert Roskam

[Thomas Grainger]

I'd like to see this happen! Don't worry about taking over from me! 

--
You received this message because you are subscribed to a topic in the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/django-developers/OITfIvTOp0A/unsubscribe.
To unsubscribe from this group and all its topics, send an email to django-developers+unsubscribe@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/60788491-d220-44b6-b692-ea4a49e67268%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.