Any thoughts on content security policy / django-csp?

[gunnar-rydberg]

When I migrated from 0.11a11 to .11b4 I had to mess around with content security policy hashes for the importmap added the django admin page. (Was this added in the refactoring?...)

We are using the django-cps package for reference. (version 3.8).

Of course to just get things working, we just add the required CPS hash to the headers of each response. (Handled by django-cps configuration)

However since you are working on django_js_assets: Maybe one could make it interact with django-cps and add the correct nounce to the script-tag containing importmap.

[matthiask]

Yep, that's definitely something I'm interested in pursuing. Do you have a working solution you could share, or at the very least some snippets showing how the output would/should look like?

[gunnar-rydberg]

I'm afraid not.

Looks like django-csp adds cps_nonce to djangos request object.

And then for any instance of (in this case) <script> you want to do something like this:

<script type="importmap" nonce="{{ request.csp_nonce }}">
...
</script>

However the request context is not automatically propagated down to the widget initialization.

[matthiask]

(Dumping links)

I think django-csp-helpers has an interesting idea on how to implement something like this:
https://github.com/dmptrluke/django-csp-helpers/blob/master/csp_helpers/classes.py

I have looked at overriding media classes to support additional attributes but this hasn't gone too far yet, but here's the pull request which would enable us to add our own Media class in any arbitrary position during the forms.Media merging and injecting the CSP attribute everywhere:
django/django#19058

Also, here's a DEP draft which I haven't found the time to work on a lot yet:
django/deps#101

I have generated some code yesterday for django-js-asset:
matthiask/django-js-asset#15