Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Hard to integrate with CSP rules in place #531

Closed
sgelis opened this issue Dec 17, 2021 · 2 comments · Fixed by #635
Closed

Hard to integrate with CSP rules in place #531

sgelis opened this issue Dec 17, 2021 · 2 comments · Fixed by #635
Labels
cleanup enhancement

Comments

@sgelis
Copy link
Contributor

sgelis commented Dec 17, 2021

django-silk makes extensive use of inline <style> and <script> tags in its templates. This makes it very hard to :

  • Override default behavior of style and/or scripts (whole template needs to be overridden).
    -Apply CSP rules properly on a project that wants to use Silk and proper CSP rules (almost all templates must be overridden to add nonce attributes all over the place).

Was there a historical reason to put all these <style> and <script> tags inline? Would a PR addressing this issue be considered OK for maintainers?
@Archmonger
Copy link
Contributor

Not sure about the historical reasoning, but many django repositories use static files for CSS/JS. I see no reason why we can't do that here.

Feel free to PR this behavior.

@sshishov
Copy link

Using <style> and <script> tags are the proper approach actually. We should not use inline styles or scripts.

The solution would be here to add the support for nonce to be injected in every style or script in the templates if it is available in the context, for instance.

This is how all other third party apps added the support for CSP3.

sgelis added a commit to sgelis/django-silk that referenced this issue Dec 26, 2022
@sgelis
Outsource all inline scripts and styles. Fixes jazzband#531.
97a5d33
@sgelis sgelis mentioned this issue Dec 26, 2022
Merged
albertyw pushed a commit that referenced this issue Jan 15, 2023
@sgelis @pre-commit-ci
Outsource all inline scripts and styles (#635)
415529c 
* Outsource all inline scripts and styles. Fixes #531.

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
cleanup enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Outsource all inline scripts and styles sgelis/django-silk
4 participants
@SebCorbin @sshishov @Archmonger @sgelis