Changes to make browsable API compatbile with strong CSP [WIP] #5740
Conversation
|
I realize that this PR doesn't remove all inline javascript, but it looks to me like all of the remaining inline javascript can simply be moved into their own files; the most complex change was the CSRF stuff. |
|
Not sure I have enough context, where’s best to read up on CSP? |
|
Sorry! I got caught up in what I was doing and totally didn't realize I was using acronyms. CSP stands for Content Security Policy. (https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP). A site using CSP (without DRF is currently incompatible with a strong CSP precisely because it uses inline javascript. By injecting the template variables into javascript with an |
|
The way this is implemented looks good to me and once rebased would fix the issue. |
|
@craiga @carltongibson I also need to enforce strong CSP and would like inline javascript to be removed. I've tested this patch (with cosmetic changes) locally and it works for me. I'd love to see it go through. |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Currently the browsable API contains inline JS for configuring forms and allowing for custom CSRF cookie/header names. Use of CSP with this page requires
'unsafe-inline'.This patch is a concept for getting rid of all inline scripts from the browsable API. It's not tested, as I just wanted to see if there was interest in merging this before I spend too much time on it.