You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
Hi, we are trying to implement the Strict CSP policy meaning we do not allow unsafe-inline and require strict-dynamic
To Reproduce
When we are trying to render the page, we are getting:
Swagger:
- Refused to load the stylesheet 'https://cdn.jsdelivr.net/npm/swagger-ui-dist@latest/swagger-ui.css'
- Refused to load the script 'https://cdn.jsdelivr.net/npm/swagger-ui-dist@latest/swagger-ui-bundle.js'
- Refused to load the script 'https://cdn.jsdelivr.net/npm/swagger-ui-dist@latest/swagger-ui-standalone-preset.js'
- Refused to execute inline script because it violates... (inline script with 'swaggerSettings' etc)
Redoc:
- Refused to load the script 'https://cdn.jsdelivr.net/npm/redoc@latest/bundles/redoc.standalone.js'
Expected behavior
No CSP errors should happen when using strict-dynamic with support of CSP
NOTE: I have manually added it in the file using <script nonce="{{request.csp_nonce}}" ...> and it was working like a charm.
I guess nowdays if you are using CSP, it is django-csp therefore it is good to add the support for it. Also maybe in future it will become the django standard library.
NOTE: if django-csp is not used, it still should be acceptable as people will be able to add either Host-based exclusion or allow unsafe-inline alltogether.
What do you think?
The text was updated successfully, but these errors were encountered:
Describe the bug
Hi, we are trying to implement the
Strict CSP
policy meaning we do not allowunsafe-inline
and requirestrict-dynamic
To Reproduce
When we are trying to render the page, we are getting:
Expected behavior
No CSP errors should happen when using
strict-dynamic
with support of CSPNOTE: I have manually added it in the file using
<script nonce="{{request.csp_nonce}}" ...>
and it was working like a charm.I guess nowdays if you are using CSP, it is
django-csp
therefore it is good to add the support for it. Also maybe in future it will become the django standard library.NOTE: if
django-csp
is not used, it still should be acceptable as people will be able to add either Host-based exclusion or allowunsafe-inline
alltogether.What do you think?
The text was updated successfully, but these errors were encountered: