New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support Content-Security-Policy without "script-src unsafe-inline" #5381
Comments
Thanks for the report, we'll take care of it. |
I think that this should undergo a deprecation period. Django 1.10 just removed its own inline javascript to allow enabling "Content-Security-Policy", it does not enforce it. |
I gave this a look and it's a bit harder than I expected. Replacing Another issue is that Django-CMS uses jQuery's PEP.js library, which builds a dynamic script element and inserts it into the DOM, violating |
That's very unfortunate
…On 17 Sep 2017 02:30, "Rob Speed" ***@***.***> wrote:
I gave this a bit of a look and it's looking a bit harder than I expected.
Replacing CMS.config with a block of JSON was fairly straightforward, but
plugins are another story altogether. Gonna put it aside for now and take
another look when I have some time.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#5381 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAZQTOrfIdOgO1XjMrkKCmZWeVbxfQpAks5sjHYkgaJpZM4Iw2t4>
.
|
Some good news: I got the plugins/placeholders sorted out. I've got it running on my personal site right now (with |
@rspeed oh great stuff, any chance of some PRs? |
Yup, already working on one. I found a few more inline scripts that needed to be fixed. Finishing that up now. |
@vxsx @yakky what's the status of CSP support? Following a PEN test I've got a client who wants us to implement a CSP & I've done what I can, but can't complete the task without support from the CMS. I've not looked at the commits involved in #6072 yet, but it's full of conflicts given it's age now so not sure how viable those changes are now. |
This addresses CSP support in django-cms#5381
This addresses CSP support in django-cms#5381 Rebuilt the JS
I give this a push, because I find it highly relevant that I do not have to set |
Django 1.10 lands support for running the admin with a Content-Security-Policy without "script-src unsafe-inline" applied. This allows the django admin to be completely immune from XSS attacks.
Django CMS should follow suit and remove all inline JavaScript. Replacing large blocks of JS with
<script src={% static 'path/to/old_inlines/eg.js' %}></script>
and<script>var foo = {{bar}}></script>
with:The text was updated successfully, but these errors were encountered: