New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSP compliance #182
Comments
What about replacing the |
@claudep Yes, I guess that also would possible and does not required the extra style-sheet. Indeed it seems to be widely implemented. I just tried this in my project, and it works for me, but I have not tested on a wide variety of browsers. |
Would you like to suggest a patch with this change? |
Good idea. Attached are the two patch files |
This change improves CSP compliancy. Thanks Martin Lueders for the report and patch.
While trying to tighten the security measures of a web page, I am working on, using the django CSP middleware, I noticed issues with django_comments:
In order to 'hide' the honeypot fields, the templates use inline styles, e.g. form.html:
These inline styles cause the messages:
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-0EZqoz+oBhx7gF4nvY2bSqoGyy4zLjNF+SDQXGp/ZrY='), or a nonce ('nonce-...') is required to enable inline execution.
As the suggested measures (unsafe-inline, hash or nonce) are discouraged, the best solution would be to use a css style-sheet, which defines a class (e.g. comments-no-display), which then can be set in the template. It only would require to load that css sheet in the base template, but would allow for tighter CSP settings.
Would it be possible to include this in the next release?
The text was updated successfully, but these errors were encountered: