django-debug-toolbar icon indicating copy to clipboard operation
django-debug-toolbar copied to clipboard
verified publisher icon jazzband

Content-Security-Policy and strict-dynamic

Open sshishov opened this issue 3 years ago • 9 comments

Django Debug Toolbar is blocked by CSP if we are using strict-dynamic. Django already support it from the box if we can include nonce="{{request.csp_nonce}}" in the template

sshishov avatar Dec 15 '22 22:12 sshishov

Thanks for opening the issue.

Django already support it from the box if we can include nonce="{{request.csp_nonce}}" in the template

Can you elaborate on where in the template this should go? A PR would be welcome too. If not, defining this issue so a newcomer could pick it up would be very helpful to us.

tim-schilling avatar Dec 15 '22 22:12 tim-schilling

Hey!

I just encounter myself with this issue.

The error that I'm getting is something like

Refused to load the script 'http://localhost:8000/static/debug_toolbar/js/toolbar.js' because it violates the following Content Security Policy directive: "script-src-elem 'strict-dynamic'

To fix this, every script/style added in this library should allow to add a nonce.

ex:

https://github.com/jazzband/django-debug-toolbar/blob/main/debug_toolbar/templates/debug_toolbar/redirect.html#L6

Could be something like

<script type="module" src="{% static 'debug_toolbar/js/toolbar.js' %}" async nonce="{{ CUSTOM_NONCE }}"></script>

image

jkevingutierrez avatar Mar 09 '23 00:03 jkevingutierrez

@tim-schilling according to this proposal it isn't in django core yet. It's a third party project that seems to be the defacto library for django implementations.

braiam avatar May 25 '23 11:05 braiam