Content-Security-Policy and strict-dynamic

[sshishov]

Django Debug Toolbar is blocked by CSP if we are using strict-dynamic.
Django already support it from the box if we can include nonce="{{request.csp_nonce}}" in the template

[tim-schilling]

Thanks for opening the issue.

Django already support it from the box if we can include nonce="{{request.csp_nonce}}" in the template

Can you elaborate on where in the template this should go? A PR would be welcome too. If not, defining this issue so a newcomer could pick it up would be very helpful to us.

[jkevingutierrez]

Hey!

I just encounter myself with this issue.

The error that I'm getting is something like

Refused to load the script 'http://localhost:8000/static/debug_toolbar/js/toolbar.js' because it violates the following Content Security Policy directive: "script-src-elem 'strict-dynamic' 

To fix this, every script/style added in this library should allow to add a nonce.

ex:

https://github.com/jazzband/django-debug-toolbar/blob/main/debug_toolbar/templates/debug_toolbar/redirect.html#L6

Could be something like

<script type="module" src="{% static 'debug_toolbar/js/toolbar.js' %}" async nonce="{{ CUSTOM_NONCE }}"></script>

[braiam]

@tim-schilling according to this proposal it isn't in django core yet. It's a third party project that seems to be the defacto library for django implementations.