[Django] #36825: CSP nonces are not applied in the Django admin
7 views
Skip to first unread message
Django
Dec 23, 2025, 12:10:21 PM (3 days ago) Dec 23
to django-...@googlegroups.com
#36825: CSP nonces are not applied in the Django admin
-------------------------------------+-------------------------------------
Reporter: Carsten Fuchs | Type:
| Uncategorized
Status: new | Component:
| contrib.admin
Version: 6.0 | Severity: Normal
Keywords: CSP, nonce, admin | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
When a Content Security Policy is configured in `settings.py` with
directives that require script nonces, for example:
{{{
#!python
SECURE_CSP = {
"object-src": [CSP.NONE],
"base-uri": [CSP.NONE],
"script-src": [CSP.NONCE, CSP.STRICT_DYNAMIC],
}
}}}
the Django admin interface stops working because the inline and linked
scripts used by the admin do not receive a nonce, resulting in CSP
violations.
**Expected behavior:**
When CSP nonces are enabled, the Django admin should either automatically
apply nonces to its scripts, or there should be a documented and supported
way to make the admin compatible with nonce-based CSP configurations.
--
Ticket URL: <https://code.djangoproject.com/ticket/36825>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
-------------------------------------+-------------------------------------
Reporter: Carsten Fuchs | Type:
| Uncategorized
Status: new | Component:
| contrib.admin
Version: 6.0 | Severity: Normal
Keywords: CSP, nonce, admin | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
When a Content Security Policy is configured in `settings.py` with
directives that require script nonces, for example:
{{{
#!python
SECURE_CSP = {
"object-src": [CSP.NONE],
"base-uri": [CSP.NONE],
"script-src": [CSP.NONCE, CSP.STRICT_DYNAMIC],
}
}}}
the Django admin interface stops working because the inline and linked
scripts used by the admin do not receive a nonce, resulting in CSP
violations.
**Expected behavior:**
When CSP nonces are enabled, the Django admin should either automatically
apply nonces to its scripts, or there should be a documented and supported
way to make the admin compatible with nonce-based CSP configurations.
--
Ticket URL: <https://code.djangoproject.com/ticket/36825>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Dec 23, 2025, 12:45:02 PM (3 days ago) Dec 23
to django-...@googlegroups.com
#36825: CSP nonces are not applied in the Django admin
-----------------------------------+--------------------------------------
Reporter: Carsten Fuchs | Owner: (none)
Type: Uncategorized | Status: new
Component: contrib.admin | Version: 6.0
Severity: Normal | Resolution:
Component: contrib.admin | Version: 6.0
Keywords: CSP, nonce, admin | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------------+--------------------------------------
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Description changed by Carsten Fuchs:
Old description:
> When a Content Security Policy is configured in `settings.py` with
> directives that require script nonces, for example:
>
> {{{
> #!python
> SECURE_CSP = {
> "object-src": [CSP.NONE],
> "base-uri": [CSP.NONE],
> "script-src": [CSP.NONCE, CSP.STRICT_DYNAMIC],
> }
> }}}
>
> the Django admin interface stops working because the inline and linked
> scripts used by the admin do not receive a nonce, resulting in CSP
> violations.
>
> **Expected behavior:**
> When CSP nonces are enabled, the Django admin should either automatically
> apply nonces to its scripts, or there should be a documented and
> supported way to make the admin compatible with nonce-based CSP
> configurations.
When a Content Security Policy is configured in `settings.py` with
directives that require script nonces, for example:
{{{
#!python
SECURE_CSP = {
"object-src": [CSP.NONE],
"base-uri": [CSP.NONE],
"script-src": [CSP.NONCE, CSP.STRICT_DYNAMIC],
}
}}}
by the admin do not receive a nonce, resulting in CSP violations.
**Expected behavior:**
When CSP nonces are enabled, the Django admin should either automatically
apply nonces to its scripts, or there should be a documented and supported
way to make the admin compatible with nonce-based CSP configurations.
--
--
**Expected behavior:**
When CSP nonces are enabled, the Django admin should either automatically
apply nonces to its scripts, or there should be a documented and supported
way to make the admin compatible with nonce-based CSP configurations.
--
Ticket URL: <https://code.djangoproject.com/ticket/36825#comment:1>
Django
Dec 23, 2025, 12:50:14 PM (3 days ago) Dec 23
to django-...@googlegroups.com
#36825: CSP nonces are not applied in the Django admin
-----------------------------------+------------------------------------
-----------------------------------+------------------------------------
Reporter: Carsten Fuchs | Owner: (none)
Type: New feature | Status: new
Component: contrib.admin | Version: 6.0
Severity: Normal | Resolution:
Keywords: CSP, nonce, admin | Triage Stage: Accepted
Severity: Normal | Resolution:
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------------+------------------------------------
Changes (by Natalia Bidart):
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------------+------------------------------------
* cc: Rob Hudson (added)
* stage: Unreviewed => Accepted
* type: Uncategorized => New feature
Comment:
Hello Carsten!
Thank you for taking the time to create this report. I have confirmed your
findings:
{{{
Content-Security-Policy: The page’s settings blocked a script (script-src-
elem) at http://localhost:9000/static/admin/js/theme.js from being
executed because it violates the following directive: “script-src 'strict-
dynamic'” admin
Content-Security-Policy: The page’s settings blocked a script (script-src-
elem) at http://localhost:9000/static/admin/js/nav_sidebar.js from being
executed because it violates the following directive: “script-src 'strict-
dynamic'”
}}}
I am accepting this ticket as a new feature for 6.1, subject to volunteer
contributions, to add nonce-based CSP support in the admin. Would you like
to work on a branch?
--
Ticket URL: <https://code.djangoproject.com/ticket/36825#comment:2>
Django
Dec 23, 2025, 1:10:48 PM (3 days ago) Dec 23
to django-...@googlegroups.com
#36825: CSP nonces are not applied in the Django admin
-----------------------------------+------------------------------------
Reporter: Carsten Fuchs | Owner: (none)
Type: New feature | Status: new
Component: contrib.admin | Version: 6.0
Severity: Normal | Resolution:
Keywords: CSP, nonce, admin | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------------+------------------------------------
Comment (by Carsten Fuchs):
-----------------------------------+------------------------------------
Reporter: Carsten Fuchs | Owner: (none)
Type: New feature | Status: new
Component: contrib.admin | Version: 6.0
Severity: Normal | Resolution:
Keywords: CSP, nonce, admin | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------------+------------------------------------
Hello Natalia,
thanks for accepting the ticket. I’d love to help and I can try, but
realistically this might land closer to Django 61.0 than 6.1 — I don’t
know the admin codebase well enough to move that quickly. 🙂 So, no
promises.
--
Ticket URL: <https://code.djangoproject.com/ticket/36825#comment:3>
Django
Dec 23, 2025, 2:32:57 PM (3 days ago) Dec 23
to django-...@googlegroups.com
#36825: CSP nonces are not applied in the Django admin
-------------------------------------+-------------------------------------
Reporter: Carsten Fuchs | Owner: Kundan
| Yadav
Type: New feature | Status: assigned
Component: contrib.admin | Version: 6.0
Severity: Normal | Resolution:
Keywords: CSP, nonce, admin | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Severity: Normal | Resolution:
Keywords: CSP, nonce, admin | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Kundan Yadav):
* owner: (none) => Kundan Yadav
* status: new => assigned
--
Ticket URL: <https://code.djangoproject.com/ticket/36825#comment:4>
Django
Dec 23, 2025, 5:27:07 PM (2 days ago) Dec 23
to django-...@googlegroups.com
#36825: CSP nonces are not applied in the Django admin
-------------------------------------+-------------------------------------
Reporter: Carsten Fuchs | Owner: Kundan
| Yadav
Type: New feature | Status: assigned
Component: contrib.admin | Version: 6.0
Severity: Normal | Resolution:
Keywords: CSP, nonce, admin | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Rob Hudson):
-------------------------------------+-------------------------------------
Reporter: Carsten Fuchs | Owner: Kundan
| Yadav
Type: New feature | Status: assigned
Component: contrib.admin | Version: 6.0
Severity: Normal | Resolution:
Keywords: CSP, nonce, admin | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
This is a subtle issue with regards to the nature of `strict-dynamic`.
The admin templates would need to add conditional nonce attributes to all
script tags (both external and inline). For example:
Current (admin/base.html:9)
{{{
<script src="{% static "admin/js/theme.js" %}"></script>
}}}
Should be:
{{{
<script src="{% static "admin/js/theme.js" %}"{% if csp_nonce %}
nonce="{{ csp_nonce }}"{% endif %}></script>
}}}
This would allow things to work in the following 4 scenarios. Currently it
seems Django 6.0
1. when CSP middleware is not enabled (nonce is falsy, not added to header
or script tags)
2. when CSP is enabled without nonces (nonce not accessed, not added to
header or script tags)
3. when CSP uses nonces (nonce added to both tag and header)
4. when CSP uses nonces with `CSP.STRICT_DYNAMIC` (nonce added to both tag
and header)
The difference between 3 and 4 is that 3 would allow host-based allowlists
and keyword allowlists to work. When `CSP.STRICT_DYNAMIC`, host-based
allowlists and keyword (e.g. `CSP.SELF`) allowlists are ignored, so admin
scripts would then require nonces.
--
Ticket URL: <https://code.djangoproject.com/ticket/36825#comment:5>
Django
Dec 23, 2025, 7:33:40 PM (2 days ago) Dec 23
to django-...@googlegroups.com
#36825: CSP nonces are not applied in the Django admin
-------------------------------------+-------------------------------------
Reporter: Carsten Fuchs | Owner: Kundan
| Yadav
Type: New feature | Status: assigned
Component: contrib.admin | Version: 6.0
Severity: Normal | Resolution:
Keywords: CSP, nonce, admin | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Antoliny):
-------------------------------------+-------------------------------------
Reporter: Carsten Fuchs | Owner: Kundan
| Yadav
Type: New feature | Status: assigned
Component: contrib.admin | Version: 6.0
Severity: Normal | Resolution:
Keywords: CSP, nonce, admin | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* cc: Antoliny (added)
--
Ticket URL: <https://code.djangoproject.com/ticket/36825#comment:6>
Reply all
Reply to author
Forward
0 new messages