Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create csp.extensions.NoncedStyle extension #212

Open
GergelyKalmar opened this issue Jan 27, 2024 · 3 comments
Open

Create csp.extensions.NoncedStyle extension #212

GergelyKalmar opened this issue Jan 27, 2024 · 3 comments
Labels
feature new features help-wanted Community contributions particularly welcome!

Comments

@GergelyKalmar
Copy link

We're using the csp.extensions.NoncedScript extension in our Jinja templates and it has been very useful. We would love if there was a similar template tag that we could use for inline styles as well.
@stevejalim stevejalim added feature new features help-wanted Community contributions particularly welcome! labels Jan 29, 2024
@stevejalim
Copy link
Contributor

Thanks @GergelyKalmar - makes sense and doesn't look too big a lift. I'm triaging things at the moment, but first thought is that this could be good one as a small contribution, so will label it and see if anyone is interested

@karolyi
Copy link

karolyi commented Sep 25, 2024

I took a different approach to solve this problem on my own.

In my tools package, I created a render_nonce_attr function that will render a nonce attribute, provided you'll pass it the request in the jinja template:

https://git.ksol.io/karolyi/py-ktools/src/commit/6a540345dce1b94826f09ef3daad3696df94b252/src/ktools/django/jinja/extensions.py#L102

And:

https://git.ksol.io/karolyi/py-ktools/src/branch/master/src/ktools/django/csp/tags.py

Then I just render everything with this tag added from the template, e.g.:

<script type="text/javascript" src="{{ static('ts-outdated-browser.js')}}"{{ render_nonce_attr(request=request) }}></script>
<script{{ render_nonce_attr(request=request) }} type="text/javascript">alert('hello world')</script>
<link rel="stylesheet" href="{{ static('outdatedbrowser/outdatedbrowser.min.css') }}" type="text/css"{{ render_nonce_attr(request=request) }}/>

... and so on, you get the gist of it.

Also, I've committed significant upgrades to the django-webpack project, as well as the django-debug-toolbar, and others I don't remember off the top of my head. If you you look at the KToolsDjangoExtension I linked in the first link, there are even more helpers for CSP stuff, for example the Form.Media renderer that will add nonces to form media tags, provided you wrap them up.

The tools are free to be used, I put it to good use in many of my own projects.

@karolyi
Copy link

karolyi commented Sep 25, 2024

Btw, I use 4.0 from this repo, and with all my modifications I mentioned above, it works nicely in a huge project that is extensively used.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature new features help-wanted Community contributions particularly welcome!
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@stevejalim @karolyi @GergelyKalmar