[Django] #36825: CSP nonces are not applied in the Django admin

[Django]

#36825: CSP nonces are not applied in the Django admin
-------------------------------------+-------------------------------------
Reporter: Carsten Fuchs | Type:
| Uncategorized
Status: new | Component:
| contrib.admin
Version: 6.0 | Severity: Normal
Keywords: CSP, nonce, admin | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
When a Content Security Policy is configured in `settings.py` with
directives that require script nonces, for example:

{{{
#!python
SECURE_CSP = {
"object-src": [CSP.NONE],
"base-uri": [CSP.NONE],
"script-src": [CSP.NONCE, CSP.STRICT_DYNAMIC],
}
}}}

the Django admin interface stops working because the inline and linked
scripts used by the admin do not receive a nonce, resulting in CSP
violations.

**Expected behavior:**
When CSP nonces are enabled, the Django admin should either automatically
apply nonces to its scripts, or there should be a documented and supported
way to make the admin compatible with nonce-based CSP configurations.
--
Ticket URL: <https://code.djangoproject.com/ticket/36825>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

[Django]

#36825: CSP nonces are not applied in the Django admin

-----------------------------------+--------------------------------------
Reporter: Carsten Fuchs | Owner: (none)

Type: Uncategorized | Status: new
Component: contrib.admin | Version: 6.0

Severity: Normal | Resolution:

Keywords: CSP, nonce, admin | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

-----------------------------------+--------------------------------------
Description changed by Carsten Fuchs:

Old description:

> When a Content Security Policy is configured in `settings.py` with
> directives that require script nonces, for example:
>
> {{{
> #!python
> SECURE_CSP = {
> "object-src": [CSP.NONE],
> "base-uri": [CSP.NONE],
> "script-src": [CSP.NONCE, CSP.STRICT_DYNAMIC],
> }
> }}}
>
> the Django admin interface stops working because the inline and linked
> scripts used by the admin do not receive a nonce, resulting in CSP
> violations.
>
> **Expected behavior:**
> When CSP nonces are enabled, the Django admin should either automatically
> apply nonces to its scripts, or there should be a documented and
> supported way to make the admin compatible with nonce-based CSP
> configurations.

New description:

When a Content Security Policy is configured in `settings.py` with
directives that require script nonces, for example:

{{{
#!python
SECURE_CSP = {
"object-src": [CSP.NONE],
"base-uri": [CSP.NONE],
"script-src": [CSP.NONCE, CSP.STRICT_DYNAMIC],
}
}}}

the Django admin interface stops working because the linked scripts used

by the admin do not receive a nonce, resulting in CSP violations.

**Expected behavior:**
When CSP nonces are enabled, the Django admin should either automatically
apply nonces to its scripts, or there should be a documented and supported
way to make the admin compatible with nonce-based CSP configurations.

--

--
Ticket URL: <https://code.djangoproject.com/ticket/36825#comment:1>

[Django]

#36825: CSP nonces are not applied in the Django admin
-----------------------------------+------------------------------------

Reporter: Carsten Fuchs | Owner: (none)

Type: New feature | Status: new

Component: contrib.admin | Version: 6.0
Severity: Normal | Resolution:

Keywords: CSP, nonce, admin | Triage Stage: Accepted

Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------------+------------------------------------

Changes (by Natalia Bidart):

* cc: Rob Hudson (added)
* stage: Unreviewed => Accepted
* type: Uncategorized => New feature

Comment:

Hello Carsten!

Thank you for taking the time to create this report. I have confirmed your
findings:

{{{
Content-Security-Policy: The page’s settings blocked a script (script-src-
elem) at http://localhost:9000/static/admin/js/theme.js from being
executed because it violates the following directive: “script-src 'strict-
dynamic'” admin
Content-Security-Policy: The page’s settings blocked a script (script-src-
elem) at http://localhost:9000/static/admin/js/nav_sidebar.js from being
executed because it violates the following directive: “script-src 'strict-
dynamic'”
}}}

I am accepting this ticket as a new feature for 6.1, subject to volunteer
contributions, to add nonce-based CSP support in the admin. Would you like
to work on a branch?
--
Ticket URL: <https://code.djangoproject.com/ticket/36825#comment:2>

[Django]

#36825: CSP nonces are not applied in the Django admin
-----------------------------------+------------------------------------
Reporter: Carsten Fuchs | Owner: (none)
Type: New feature | Status: new
Component: contrib.admin | Version: 6.0
Severity: Normal | Resolution:
Keywords: CSP, nonce, admin | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------------+------------------------------------

Comment (by Carsten Fuchs):

Hello Natalia,

thanks for accepting the ticket. I’d love to help and I can try, but
realistically this might land closer to Django 61.0 than 6.1 — I don’t
know the admin codebase well enough to move that quickly. 🙂 So, no
promises.
--
Ticket URL: <https://code.djangoproject.com/ticket/36825#comment:3>

[Django]

#36825: CSP nonces are not applied in the Django admin

-------------------------------------+-------------------------------------
Reporter: Carsten Fuchs | Owner: Kundan
| Yadav
Type: New feature | Status: assigned

Component: contrib.admin | Version: 6.0
Severity: Normal | Resolution:
Keywords: CSP, nonce, admin | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

-------------------------------------+-------------------------------------
Changes (by Kundan Yadav):

* owner: (none) => Kundan Yadav
* status: new => assigned

--
Ticket URL: <https://code.djangoproject.com/ticket/36825#comment:4>

[Django]

#36825: CSP nonces are not applied in the Django admin
-------------------------------------+-------------------------------------
Reporter: Carsten Fuchs | Owner: Kundan
| Yadav
Type: New feature | Status: assigned
Component: contrib.admin | Version: 6.0
Severity: Normal | Resolution:
Keywords: CSP, nonce, admin | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by Rob Hudson):

This is a subtle issue with regards to the nature of `strict-dynamic`.

The admin templates would need to add conditional nonce attributes to all
script tags (both external and inline). For example:

Current (admin/base.html:9)

{{{
<script src="{% static "admin/js/theme.js" %}"></script>
}}}

Should be:

{{{
<script src="{% static "admin/js/theme.js" %}"{% if csp_nonce %}
nonce="{{ csp_nonce }}"{% endif %}></script>
}}}

This would allow things to work in the following 4 scenarios. Currently it
seems Django 6.0
1. when CSP middleware is not enabled (nonce is falsy, not added to header
or script tags)
2. when CSP is enabled without nonces (nonce not accessed, not added to
header or script tags)
3. when CSP uses nonces (nonce added to both tag and header)
4. when CSP uses nonces with `CSP.STRICT_DYNAMIC` (nonce added to both tag
and header)

The difference between 3 and 4 is that 3 would allow host-based allowlists
and keyword allowlists to work. When `CSP.STRICT_DYNAMIC`, host-based
allowlists and keyword (e.g. `CSP.SELF`) allowlists are ignored, so admin
scripts would then require nonces.
--
Ticket URL: <https://code.djangoproject.com/ticket/36825#comment:5>

[Django]

#36825: CSP nonces are not applied in the Django admin
-------------------------------------+-------------------------------------
Reporter: Carsten Fuchs | Owner: Kundan
| Yadav
Type: New feature | Status: assigned
Component: contrib.admin | Version: 6.0
Severity: Normal | Resolution:
Keywords: CSP, nonce, admin | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by Antoliny):

* cc: Antoliny (added)

--
Ticket URL: <https://code.djangoproject.com/ticket/36825#comment:6>

[Django]

#36825: CSP nonces are not applied in the Django admin
-------------------------------------+-------------------------------------
Reporter: Carsten Fuchs | Owner: Kundan
| Yadav
Type: New feature | Status: assigned
Component: contrib.admin | Version: 6.0
Severity: Normal | Resolution:
Keywords: CSP, nonce, admin | Triage Stage: Accepted

Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by Kundan Yadav):

* has_patch: 0 => 1

Comment:

https://github.com/django/django/pull/20494
--
Ticket URL: <https://code.djangoproject.com/ticket/36825#comment:7>

[Django]

#36825: CSP nonces are not applied in the Django admin
-------------------------------------+-------------------------------------
Reporter: Carsten Fuchs | Owner: Kundan
| Yadav
Type: New feature | Status: assigned
Component: contrib.admin | Version: 6.0
Severity: Normal | Resolution:
Keywords: CSP, nonce, admin | Triage Stage: Accepted

Has patch: 1 | Needs documentation: 1
Needs tests: 1 | Patch needs improvement: 1

Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by Natalia Bidart):

* needs_better_patch: 0 => 1
* needs_docs: 0 => 1
* needs_tests: 0 => 1

--
Ticket URL: <https://code.djangoproject.com/ticket/36825#comment:8>

[Django]

#36825: CSP nonces are not applied in the Django admin
-------------------------------------+-------------------------------------
Reporter: Carsten Fuchs | Owner: Kundan
| Yadav
Type: New feature | Status: assigned
Component: contrib.admin | Version: 6.0
Severity: Normal | Resolution:
Keywords: CSP, nonce, admin | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 1

Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by Kundan Yadav):

* needs_better_patch: 1 => 0
* needs_tests: 1 => 0

--
Ticket URL: <https://code.djangoproject.com/ticket/36825#comment:9>

[Django]

#36825: CSP nonces are not applied in the Django admin
-------------------------------------+-------------------------------------
Reporter: Carsten Fuchs | Owner: Kundan
| Yadav
Type: New feature | Status: assigned
Component: contrib.admin | Version: 6.0
Severity: Normal | Resolution:
Keywords: CSP, nonce, admin | Triage Stage: Accepted

Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Kundan Yadav):

* needs_docs: 1 => 0

--
Ticket URL: <https://code.djangoproject.com/ticket/36825#comment:10>

[Django]

#36825: CSP nonces are not applied in the Django admin
-------------------------------------+-------------------------------------
Reporter: Carsten Fuchs | Owner: Kundan
| Yadav
Type: New feature | Status: assigned
Component: contrib.admin | Version: 6.0
Severity: Normal | Resolution:
Keywords: CSP, nonce, admin | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by Kundan Yadav):

hey is there anything left or wrong in the pr ?
--
Ticket URL: <https://code.djangoproject.com/ticket/36825#comment:11>

[Django]

#36825: CSP nonces are not applied in the Django admin
-------------------------------------+-------------------------------------
Reporter: Carsten Fuchs | Owner: Kundan
| Yadav
Type: New feature | Status: assigned
Component: contrib.admin | Version: 6.0
Severity: Normal | Resolution:
Keywords: CSP, nonce, admin | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 1

Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by Jacob Walls):

* needs_better_patch: 0 => 1

--
Ticket URL: <https://code.djangoproject.com/ticket/36825#comment:12>

[Django]

#36825: CSP nonces are not applied in the Django admin
-------------------------------------+-------------------------------------
Reporter: Carsten Fuchs | Owner: Kundan
| Yadav
Type: New feature | Status: assigned
Component: contrib.admin | Version: 6.0
Severity: Normal | Resolution:
Keywords: CSP, nonce, admin | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by Natalia Bidart):

Replying to [comment:11 Kundan Yadav]:

> hey is there anything left or wrong in the pr ?

Hello Kundan, we appreciate your eagerness to contribute! Your branch is
in the
[https://code.djangoproject.com/query?has_patch=1&needs_better_patch=0&needs_docs=0&needs_tests=0&stage=Accepted&status=!closed&order=changetime&desc=1
review queue] and will be looked at when someone is available.

Please note that Django is a community driven project and we rely on
volunteers to make not only code contributions, but also other
contributions such as PR reviews. If you have any availability, please
consider contributing in other areas apart from code. For more details,
see https://docs.djangoproject.com/en/6.0/internals/contributing/new-
contributors/.

Lastly, please make sure that your PR is of the highest quality possible,
to avoid back and forth on issues that could have been caught by following
the [https://docs.djangoproject.com/en/dev/internals/contributing/writing-
code/submitting-patches/#patch-review-checklist Contribution checklist].
--
Ticket URL: <https://code.djangoproject.com/ticket/36825#comment:13>

[Django]

#36825: CSP nonces are not applied in the Django admin
-------------------------------------+-------------------------------------
Reporter: Carsten Fuchs | Owner: Kundan
| Yadav
Type: New feature | Status: assigned
Component: contrib.admin | Version: 6.0
Severity: Normal | Resolution:
Keywords: CSP, nonce, admin | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by Kundan Yadav):

Replying to [comment:13 Natalia Bidart]:

> Replying to [comment:11 Kundan Yadav]:
> > hey is there anything left or wrong in the pr ?
>
> Hello Kundan, we appreciate your eagerness to contribute! Your branch is
in the
[https://code.djangoproject.com/query?has_patch=1&needs_better_patch=0&needs_docs=0&needs_tests=0&stage=Accepted&status=!closed&order=changetime&desc=1
review queue] and will be looked at when someone is available.
>
> Please note that Django is a community driven project and we rely on
volunteers to make not only code contributions, but also other
contributions such as PR reviews. If you have any availability, please
consider contributing in other areas apart from code. For more details,
see https://docs.djangoproject.com/en/6.0/internals/contributing/new-
contributors/.
>
> Lastly, please make sure that your PR is of the highest quality
possible, to avoid back and forth on issues that could have been caught by
following the
[https://docs.djangoproject.com/en/dev/internals/contributing/writing-code
/submitting-patches/#patch-review-checklist Contribution checklist].

i will not use llm and my next pr will be better than before
--
Ticket URL: <https://code.djangoproject.com/ticket/36825#comment:14>