Proposal to merge django-csp into contrib

255 views
Skip to first unread message

Thomas Grainger

unread,
Dec 5, 2015, 6:39:46 PM12/5/15
to Django developers (Contributions to Django itself)
Now that the django admin supports the Content-Security-Policy header I think merging django-csp into contrib would be a good fix for https://code.djangoproject.com/ticket/15727

It might also be an idea to wait for Mozilla to also respond to the proposal of this merger.

See my PR here: https://github.com/django/django/pull/5776

Aymeric Augustin

unread,
Dec 6, 2015, 4:13:46 AM12/6/15
to django-d...@googlegroups.com
Hello Thomas,


On 5 déc. 2015, at 23:23, Thomas Grainger <tag...@gmail.com> wrote:

I think merging django-csp into contrib would be a good fix for https://code.djangoproject.com/ticket/15727 

I took a look at the pull request.

I understand that the “just merge django-csp” approach minimizes effort. However the result doesn’t feel well integrated with Django. I left a few comments that all boil down to “this isn’t how we would have done if we’d started from a clean slate” and quickly gave up when I noticed that trend.

Thinking in terms of “we have Django, how do we best implement CSP?” — and liberally looking for API ideas or code in django-csp, since its license allows that will yield better results than merely transplanting django-csp in django.contrib. That’s usually how Django integrates third-party code.

Best regards,

-- 
Aymeric.

Florian Apolloner

unread,
Dec 6, 2015, 5:01:54 AM12/6/15
to Django developers (Contributions to Django itself)


On Sunday, December 6, 2015 at 10:13:46 AM UTC+1, Aymeric Augustin wrote:
I understand that the “just merge django-csp” approach minimizes effort. However the result doesn’t feel well integrated with Django. I left a few comments that all boil down to “this isn’t how we would have done if we’d started from a clean slate” and quickly gave up when I noticed that trend.

Ditto, I'd like to see this in core and as part of SecurityMiddleware.

Thomas Grainger

unread,
Dec 6, 2015, 11:22:20 AM12/6/15
to Django developers (Contributions to Django itself)
Yeah this makes a lot more sense in SecurityMiddleware

Robert Roskam

unread,
Feb 15, 2017, 9:11:01 PM2/15/17
to Django developers (Contributions to Django itself)
Hey All,

So it's over a year later, and even though there is consensus, this ticket (https://code.djangoproject.com/ticket/15727) appears to have had no progress.

Would it be OK if someone else were to pick up this ticket and move it forward?

Robert Roskam

Tim Graham

unread,
Feb 15, 2017, 9:13:45 PM2/15/17
to Django developers (Contributions to Django itself)
Yes, if a ticket goes weeks or months without activity, it's unlikely someone is working on it, so it's fine to reassign.

Robert Roskam

unread,
Feb 16, 2017, 7:36:58 PM2/16/17
to Django developers (Contributions to Django itself)
OK, I'll probably hold off for a little bit just in case someone else wants it. But I'll probably have some time soon to work on it.

Robert Roskam

Thomas Grainger

unread,
Feb 16, 2017, 7:41:04 PM2/16/17
to django-d...@googlegroups.com
I'd like to see this happen! Don't worry about taking over from me! 

--
You received this message because you are subscribed to a topic in the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/django-developers/OITfIvTOp0A/unsubscribe.
To unsubscribe from this group and all its topics, send an email to django-developers+unsubscribe@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/60788491-d220-44b6-b692-ea4a49e67268%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages