Can we add `nonce` support for `django-csp`?
Opened this issue · 1 comments
Describe the bug
Hi, we are trying to implement the Strict CSP
policy meaning we do not allow unsafe-inline
and require strict-dynamic
To Reproduce
When we are trying to render the page, we are getting:
Swagger:
- Refused to load the stylesheet 'https://cdn.jsdelivr.net/npm/swagger-ui-dist@latest/swagger-ui.css'
- Refused to load the script 'https://cdn.jsdelivr.net/npm/swagger-ui-dist@latest/swagger-ui-bundle.js'
- Refused to load the script 'https://cdn.jsdelivr.net/npm/swagger-ui-dist@latest/swagger-ui-standalone-preset.js'
- Refused to execute inline script because it violates... (inline script with 'swaggerSettings' etc)
Redoc:
- Refused to load the script 'https://cdn.jsdelivr.net/npm/redoc@latest/bundles/redoc.standalone.js'
Expected behavior
No CSP errors should happen when using strict-dynamic
with support of CSP
NOTE: I have manually added it in the file using <script nonce="{{request.csp_nonce}}" ...>
and it was working like a charm.
I guess nowdays if you are using CSP, it is django-csp
therefore it is good to add the support for it. Also maybe in future it will become the django standard library.
NOTE: if django-csp
is not used, it still should be acceptable as people will be able to add either Host-based exclusion or allow unsafe-inline
alltogether.
What do you think?
Additional information: redoc has added nonce
support already.
Changelog: https://github.com/Redocly/redoc/blob/main/CHANGELOG.md#200-rc66-2022-03-30