GSOC 2023 Proposal Feedback on Security: Bring CORS and CSP into core

122 views
Skip to first unread message

Anvesh Mishra

unread,
Mar 7, 2023, 11:59:47 AM3/7/23
to Django developers (Contributions to Django itself)

I created a draft proposal GSOC Proposal [Security: Bring CORS and CSP into core] - Google Docs 3 I would be glad if you could review it once :smile: 
Some key notes on the proposal:

  1. CSP is to be added to SecurityMiddleware as suggested by @timgraham in his closing notes on PR-5776 . I will be following the design of Referrer Policy and implementing some extra features such as nonce context processor.
  2. A doubt that I had is since CSP consists of a number of directives so will creating settings attributes for each one of them be a valid option or we can stick to the proposed way of declaring it in a single comma separated string as done with Referrer Policy.
  3. Currently this proposal proposes CORS to be implemented via the addition of CORSMiddleware but I was thinking if implementing CORS into SecurityMiddleware would be the right way or not?
  4. Also since I propose to add CSP to SecurityMiddleware we would have to create SecurityMiddleware._make_nonce(request), I don’t know if this breaks the design of SecurityMiddleware. The mock implementation of CSP in SecurityMiddleware can be seen here CSP mock implementation .
  5. Decorators will be added to both CORS and CSP with CORS having 3 decorators and CSP having 4 decorators.

Carlton Gibson

unread,
Mar 8, 2023, 2:14:38 AM3/8/23
to django-d...@googlegroups.com
Hi Anvesh. 

I replied to your forum post: https://forum.djangoproject.com/t/gsoc-2023-discussion-on-security-bring-cors-and-csp-into-core/18932/7 — let's keep the discussion in one place please. Thanks.

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/03a6602d-9f95-46be-9dc0-39f841bcd9bcn%40googlegroups.com.

Anvesh Mishra

unread,
Mar 8, 2023, 4:32:39 PM3/8/23
to Django developers (Contributions to Django itself)
Thanks Carlton,

My bad will make sure to keep the discussion in one place. 😓

Reply all
Reply to author
Forward
0 new messages