Content-Security-Policy compatibility

bmihelac commented 6 months ago

Which version of Django are you using?:

Django 4.2

Which version of django-rosetta are you using?:

0.10.0

Have you looked trough recent issues and checked this isn't a duplicate?
Yes

It would be nice to ditch using inline styles and scripts so that the Django Rosetta admin interface can be used with CSP headers without needing to specify SHA-256 hashes.

The workaround for 0.10.0 is:

CSP_STYLE_SRC += [
    "'sha256-q5rmgt0qnS6vusTX681CxP1llW8fGLSs67L4+dVXYgM='",
    "'sha256-r6dGmfJqBIB7bl4g+OioPKi2r6BGt6yJMK3smPY2W3o='",
    "'unsafe-hashes'",
]
CSP_SCRIPT_SRC += [
    "'sha256-+cShGZPBVbwcgDZxLez6BVyIIip5Ei8dtU08wGULPgA='",
    "'sha256-TcUB1mzXiQO4GxpTRZ0EMpOXKMU3u+n/q1WrgVIcs1I='",
]

mbi commented 6 months ago

Yea, I see that could be useful, although not my highest priority at the moment! A PR would be appreciated if you feel like digging into this.

bmihelac commented 6 months ago

@mbi Thanks for suggestion. I’ll keep this in mind and see if I can find some time to work on it.

mbi commented 5 months ago

Merged, thank you so much!

mbi / django-rosetta

Content-Security-Policy compatibility #287