Allow certain URLs to be exempted from 'strict-dynamic' #95
Comments
|
@mark-adams Thanks for raising this! If I'm understanding this correctly, you want to set a different CSP policy (including or excluding the Possible options:
# urls.py
from django.contrib import admin
from django.urls import path
from csp.decorators import csp_replace
urlpatterns = [
path('admin/', csp_replace(SCRIPT_SRC="'self'")(admin.site.urls),
]
Am I understanding the problem correctly? Would any of those options work? |
|
Closing since this is really old and I think I addressed it in my last comment, but happy to revisit later. |
|
|
|
I also stumbled on this. Since from csp.decorators import csp_replace
from decorator_include import decorator_include
urlpatterns = [
path("admin/", decorator_include(csp_replace(SCRIPT_SRC="'self'"), admin.site.urls)),
... |
In a Django application, there are often certain views that are not controlled by the developer (such as the Django admin). For those of us using
'strict-dynamic'in our CSP policies, the only real option currently is to whitelist these URLs (which is very undesirable).It is also common to have fallback CSP policies for when a user agent doesn't support
strict-dynamic. An example policy would be'strict-dynamic' 'unsafe-inline' 'self' 'http:' 'https'. With this policy, a CSP 3.x compatible browser would ignoreunsafe-inline,self,http:, andhttps:and only obeystrict-dynamicwhile older browsers would ignorestrict-dynamicand follow the policy in the other directives.It would be nice to define some sort of
settings.CSP_BYPASS_STRICT_DYNAMICvalue that would exclude views from havingstrict-dynamicapplied to their CSP policy while leaving the other fallback directives alone. That way, views that the developer does not control (like Django admin) would have at least some benefit from CSP.The text was updated successfully, but these errors were encountered: