Working on csp and nonce support

Author: davegaeddert

example/app/settings.py

@@ -27,6 +27,27 @@
     "app.users",
 ]
 
+
+def DEFAULT_RESPONSE_HEADERS(request):
+    """
+    Strict CSP policy for testing CSP nonce support.
+    """
+    nonce = request.csp_nonce
+    return {
+        "Content-Security-Policy": (
+            f"default-src 'self'; "
+            f"script-src 'self' 'nonce-{nonce}'; "
+            f"style-src 'self' 'nonce-{nonce}'; "
+            f"img-src 'self' data: https://www.gravatar.com; "
+            f"font-src 'self'; "
+            f"connect-src 'self'; "
+            f"frame-ancestors 'self'; "
+            f"base-uri 'self'; "
+            f"form-action 'self'"
+        ),
+    }
+
+
 EMAIL_BACKEND = "plain.email.backends.console.EmailBackend"
 EMAIL_DEFAULT_FROM = "from@example.com"
 SUPPORT_EMAIL = "support@example.com"

example/app/templates/base.html

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>{% block title %}Example App{% endblock %}</title>
+    {% tailwind_css %}
+</head>
+<body>
+    {% block content required %}{% endblock %}
+
+    {% toolbar %}
+</body>
+</html>

example/app/templates/index.html

@@ -1,14 +1,7 @@
-<!DOCTYPE html>
-<html lang="en">
-<head>
-    <meta charset="UTF-8">
-    <meta name="viewport" content="width=device-width, initial-scale=1.0">
-    <title>Document</title>
-    {% tailwind_css %}
-</head>
-<body>
-    Hey!
+{% extends "base.html" %}
 
-    {% toolbar %}
-</body>
-</html>
+{% block content %}
+<div class="p-8">
+    Hey!
+</div>
+{% endblock %}

example/app/templates/login.html

@@ -0,0 +1,41 @@
+{% extends "base.html" %}
+
+{% block title %}Login{% endblock %}
+
+{% block content %}
+<div class="p-8">
+    <div class="max-w-md mx-auto">
+        <h1 class="text-2xl font-bold mb-4">Login</h1>
+
+        <form method="post" class="flex flex-col">
+            {% for error in form.non_field_errors %}
+            <div class="text-red-500 border-red-500 border rounded-md p-2 mb-4">{{ error }}</div>
+            {% endfor %}
+
+            <label class="text-sm mb-1" for="{{ form.email.html_id }}">Email</label>
+            <input
+                class="border border-gray-300 rounded-md px-3 py-2 mb-4"
+                type="email"
+                name="{{ form.email.html_name }}"
+                id="{{ form.email.html_id }}"
+                value="{{ form.email.value() or '' }}"
+                autocomplete="email"
+                autofocus
+                required>
+
+            <label class="text-sm mb-1" for="{{ form.password.html_id }}">Password</label>
+            <input
+                class="border border-gray-300 rounded-md px-3 py-2 mb-4"
+                type="password"
+                name="{{ form.password.html_name }}"
+                id="{{ form.password.html_id }}"
+                autocomplete="current-password"
+                required>
+
+            <button type="submit" class="bg-blue-500 hover:bg-blue-700 text-white font-bold py-2 px-4 rounded">
+                Login
+            </button>
+        </form>
+    </div>
+</div>
+{% endblock %}

example/app/urls.py

@@ -8,7 +8,7 @@
 
 
 class LoginView(PasswordLoginView):
-    pass
+    template_name = "login.html"
 
 
 class IndexView(TemplateView):

example/pyproject.toml

@@ -1,5 +1,5 @@
 [project]
-name = "plain-demo-full"
+name = "example"
 version = "0.0.0"
 requires-python = ">=3.13"
 dependencies = [

plain-admin/plain/admin/assets/admin/vendor/tippy-bundle.umd.min.js

@@ -44,6 +44,7 @@ def view_name(cls) -> str:
     def get_template_context(self) -> dict[str, Any]:
         context = {}
 
+        context["request"] = self.request
         context["size"] = self.size
         context["title"] = self.get_title()
         context["slug"] = self.get_slug()