Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Incompatible with a Content Security Policy #307

Closed
graingert opened this Issue Jul 30, 2012 · 4 comments

Comments

Projects
None yet
3 participants
Contributor

graingert commented Jul 30, 2012

Because debug_toolbar uses in-line JS it cannot function with a Content Security Policy active.

While disabling CSP temporarily is a possible, it slows down development.

jaap3 commented Aug 20, 2012

This would require changing the render_toolbar method in /debug_toolbar/toolbar/loader.py. Instead of reading and passing the content of /debug_toolbar/media/debug_toolbar/js/toolbar.min.js (and /debug_toolbar/media/debug_toolbar/css/toolbar.min.css) to /debug_toolbar/templates/debug_toolbar/base.html, the template could just load the files using script src/link href.

Which seems like a sane idea anyway, as the current way of opening and reading files seems suboptimal to me. I'm not sure what the reasoning behind the current behaviour is.

Contributor

graingert commented Aug 20, 2012

Also why is it in app/media/ and not app/static/ ?

Contributor

graingert commented Aug 20, 2012

ah hang on I've missed some like

#redirect.html

<script type="text/javascript">
    document.getElementById('redirect_to').focus();
</script>

jaap3 commented Aug 20, 2012

You could either extract that and put it in an external file, or just keep it as is. Your CSP just prevents execution right? This bit of JS is non-essential to the functionality of the debug toolbar.

@jezdez jezdez closed this in 189668e Aug 27, 2012

ryneeverett pushed a commit to ryneeverett/django-debug-toolbar that referenced this issue Oct 2, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment