Asking for ideas and suggestion on my proposed theme

[achalcipher]

I'm Achal, an enthusiastic developer and open-source contribute, eager to improve Wagtail's CSP compatibility as part of GSOC 2025. After going through discussion around inline scripts, eval() usage, and CSP directives (e.g., issues wagtail/wagtail#12368 and wagtail/wagtail#7053), I've been exploring ways to address these challenges while keeping Wagtail's admin both secure and functional.

Here's the approach I'm considering:

Audit CSP Violations- Run Wagtail's admin with a strict CSP and systematically log remaining issues, ensuring a clear picture of unsafe-inline scripts, styles, and other policy gaps.

Refactor Inline Scripts & Styles – Move them to external files where possible, introduce CSP-compliant nonce attributes, and adjust templates/widgets accordingly.

Replace eval() Usage – Modify areas like modal choosers to use safer alternatives such as JSON parsing or predefined functions.

Secure External Assets (e.g., Gravatar) – Explore CSP-friendly handling methods, whether through secure URL rewriting, alternative implementations, or better configuration options.

Create a Strict CSP Guide – Document a recommended CSP configuration for Wagtail using tools like django-csp, making it easier for developers to adopt best practices.

Test CSP in a Live Environment – Apply a strict CSP on wagtail.org, analyze real-world issues, and refine solutions accordingly.

I have experience working with Django, JavaScript, and frontend security best practices, so I’m confident in implementing these changes without disrupting Wagtail’s usability.

I’d love to get your thoughts on this plan. Would you be open to reviewing my proposal draft?