-
-
Notifications
You must be signed in to change notification settings - Fork 6.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes to make browsable API compatbile with strong CSP [WIP] #5740
Conversation
I realize that this PR doesn't remove all inline javascript, but it looks to me like all of the remaining inline javascript can simply be moved into their own files; the most complex change was the CSRF stuff. |
Not sure I have enough context, where’s best to read up on CSP? |
Sorry! I got caught up in what I was doing and totally didn't realize I was using acronyms. CSP stands for Content Security Policy. (https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP). A site using CSP (without DRF is currently incompatible with a strong CSP precisely because it uses inline javascript. By injecting the template variables into javascript with an |
The way this is implemented looks good to me and once rebased would fix the issue. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changes here look good to me. There's still inline CSS which can cause CSP violations.
@craiga @carltongibson I also need to enforce strong CSP and would like inline javascript to be removed. I've tested this patch (with cosmetic changes) locally and it works for me. I'd love to see it go through. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Currently the browsable API contains inline JS for configuring forms and allowing for custom CSRF cookie/header names. Use of CSP with this page requires
'unsafe-inline'
.This patch is a concept for getting rid of all inline scripts from the browsable API. It's not tested, as I just wanted to see if there was interest in merging this before I spend too much time on it.