FIX: Removes inline scripts for CSP compatibility #171
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* Converts configs in `stacked.html` and `tabular.html` to JSON. * Adds `inline-stacked.js` and `inline-tabular.js` which load the respective configs and initialize sortable formsets. * Adds the scripts to `SortableInlineAdminMixin.media`. * Converts config in `change_list.html` to JSON. * Updates `list-sortable.js` to load the config.
|
Why should it be safer to disallow inlined JavaScript, rather than importing it? Can you point me onto a security site, where this attack vector is explained. |
|
In short: avoiding inline scripts is a best practice because they can be an attack vector for cross-site scripting. |
|
OK, got it. Since I do configurations in other projects using the same pattern, I'll probably have to adopt them too. Hmmm. |
|
Done. PR #172. The version of the next release is assumed to be 0.6.17. And yeah, it's a good idea in general. I've been submitting PRs to a bunch of projects recently for similar reasons. |
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In order to enforce an effective CSP, sites must disallow the use of inline scripts, as they are a common exploit vector for attacks. Unfortunately, django-admin-sortable2 uses them in three places to pass configuration data to the front-end. This causes it to break when such a CSP is enforced.
This PR fixes the issue by splitting the inline scripts into two parts. The configuration data is converted into JSON structures which are left in the templates and the logic is moved to external scripts. The commit message has a more detailed list of the changes.