Support the strictest CSP with nonce for scripts

2025-04-16 07:02:10 +03:00 · 2024-08-23 23:19:56 +05:00 · 2024-08-23 23:19:56 +05:00 · 93a091304e
commit 93a091304e
parent f113ab6b68
5 changed files with 26 additions and 26 deletions
--- a/rest_framework/templates/rest_framework/admin.html
+++ b/rest_framework/templates/rest_framework/admin.html
@ -244,19 +244,19 @@
      {% endif %}

      {% block script %}
-        <script type="application/json" id="drf_csrf">
+        <script type="application/json" id="drf_csrf" nonce="{{ request.csp_nonce }}">
          {
            "csrfHeaderName": "{{ csrf_header_name|default:'X-CSRFToken' }}",
            "csrfToken": "{{ csrf_token }}"
          }
        </script>
-        <script src="{% static "rest_framework/js/jquery-3.7.1.min.js" %}"></script>
-        <script src="{% static "rest_framework/js/ajax-form.js" %}"></script>
-        <script src="{% static "rest_framework/js/csrf.js" %}"></script>
-        <script src="{% static "rest_framework/js/bootstrap.min.js" %}"></script>
-        <script src="{% static "rest_framework/js/prettify-min.js" %}"></script>
-        <script src="{% static "rest_framework/js/default.js" %}"></script>
-        <script src="{% static "rest_framework/js/load-ajax-form.js" %}"></script>
+        <script src="{% static "rest_framework/js/jquery-3.7.1.min.js" %}" nonce="{{ request.csp_nonce }}"></script>
+        <script src="{% static "rest_framework/js/ajax-form.js" %}" nonce="{{ request.csp_nonce }}"></script>
+        <script src="{% static "rest_framework/js/csrf.js" %}" nonce="{{ request.csp_nonce }}"></script>
+        <script src="{% static "rest_framework/js/bootstrap.min.js" %}" nonce="{{ request.csp_nonce }}"></script>
+        <script src="{% static "rest_framework/js/prettify-min.js" %}" nonce="{{ request.csp_nonce }}"></script>
+        <script src="{% static "rest_framework/js/default.js" %}" nonce="{{ request.csp_nonce }}"></script>
+        <script src="{% static "rest_framework/js/load-ajax-form.js" %}" nonce="{{ request.csp_nonce }}"></script>
      {% endblock %}
    </body>
  {% endblock %}
--- a/rest_framework/templates/rest_framework/base.html
+++ b/rest_framework/templates/rest_framework/base.html
@ -287,19 +287,19 @@
    {% endif %}

    {% block script %}
-      <script type="application/json" id="drf_csrf">
+      <script type="application/json" id="drf_csrf" nonce="{{ request.csp_nonce }}">
        {
          "csrfHeaderName": "{{ csrf_header_name|default:'X-CSRFToken' }}",
          "csrfToken": "{% if request %}{{ csrf_token }}{% endif %}"
        }
      </script>
-      <script src="{% static "rest_framework/js/jquery-3.7.1.min.js" %}"></script>
-      <script src="{% static "rest_framework/js/ajax-form.js" %}"></script>
-      <script src="{% static "rest_framework/js/csrf.js" %}"></script>
-      <script src="{% static "rest_framework/js/bootstrap.min.js" %}"></script>
-      <script src="{% static "rest_framework/js/prettify-min.js" %}"></script>
-      <script src="{% static "rest_framework/js/default.js" %}"></script>
-      <script src="{% static "rest_framework/js/load-ajax-form.js" %}"></script>
+      <script src="{% static "rest_framework/js/jquery-3.7.1.min.js" %}" nonce="{{ request.csp_nonce }}"></script>
+      <script src="{% static "rest_framework/js/ajax-form.js" %}" nonce="{{ request.csp_nonce }}"></script>
+      <script src="{% static "rest_framework/js/csrf.js" %}" nonce="{{ request.csp_nonce }}"></script>
+      <script src="{% static "rest_framework/js/bootstrap.min.js" %}" nonce="{{ request.csp_nonce }}"></script>
+      <script src="{% static "rest_framework/js/prettify-min.js" %}" nonce="{{ request.csp_nonce }}"></script>
+      <script src="{% static "rest_framework/js/default.js" %}" nonce="{{ request.csp_nonce }}"></script>
+      <script src="{% static "rest_framework/js/load-ajax-form.js" %}" nonce="{{ request.csp_nonce }}"></script>
    {% endblock %}

  </body>
--- a/rest_framework/templates/rest_framework/docs/error.html
+++ b/rest_framework/templates/rest_framework/docs/error.html
@ -66,6 +66,6 @@ at <code>rest_framework/docs/error.html</code>.</p>



-        <script src="{% static 'rest_framework/js/jquery-3.7.1.min.js' %}"></script>
+        <script src="{% static 'rest_framework/js/jquery-3.7.1.min.js' %}" nonce="{{ request.csp_nonce }}"></script>
    </body>
 </html>
--- a/rest_framework/templates/rest_framework/docs/index.html
+++ b/rest_framework/templates/rest_framework/docs/index.html
@ -17,8 +17,8 @@
        <link href="{% static 'rest_framework/docs/img/favicon.ico' %}" rel="shortcut icon">

        {% if code_style %}<style>{{ code_style }}</style>{% endif %}
-        <script src="{% static 'rest_framework/js/coreapi-0.1.1.js' %}"></script>
-        <script src="{% url 'api-docs:schema-js' %}"></script>
+        <script src="{% static 'rest_framework/js/coreapi-0.1.1.js' %}" nonce="{{ request.csp_nonce }}"></script>
+        <script src="{% url 'api-docs:schema-js' %}" nonce="{{ request.csp_nonce }}"></script>

    </head>

@ -38,11 +38,11 @@
        {% include "rest_framework/docs/auth/basic.html" %}
        {% include "rest_framework/docs/auth/session.html" %}

-        <script src="{% static 'rest_framework/js/jquery-3.7.1.min.js' %}"></script>
-        <script src="{% static 'rest_framework/js/bootstrap.min.js' %}"></script>
-        <script src="{% static 'rest_framework/docs/js/jquery.json-view.min.js' %}"></script>
-        <script src="{% static 'rest_framework/docs/js/api.js' %}"></script>
-        <script>
+        <script src="{% static 'rest_framework/js/jquery-3.7.1.min.js' %}" nonce="{{ request.csp_nonce }}"></script>
+        <script src="{% static 'rest_framework/js/bootstrap.min.js' %}" nonce="{{ request.csp_nonce }}"></script>
+        <script src="{% static 'rest_framework/docs/js/jquery.json-view.min.js' %}" nonce="{{ request.csp_nonce }}"></script>
+        <script src="{% static 'rest_framework/docs/js/api.js' %}" nonce="{{ request.csp_nonce }}"></script>
+        <script nonce="{{ request.csp_nonce }}">
            {% if user.is_authenticated %}
                window.auth = {
                    'type': 'session',
--- a/rest_framework/templates/rest_framework/docs/langs/javascript-intro.html
+++ b/rest_framework/templates/rest_framework/docs/langs/javascript-intro.html
@ -1,5 +1,5 @@
 {% load rest_framework %}
 {% load static %}
 <pre class="highlight javascript hide" data-language="javascript"><code>{% code html %}<!-- Load the JavaScript client library -->
-<script src="{% static 'rest_framework/js/coreapi-0.1.1.js' %}"></script>
-<script src="{% url 'api-docs:schema-js' %}"></script>{% endcode %}</code></pre>
+<script src="{% static 'rest_framework/js/coreapi-0.1.1.js' %}" nonce="{{ request.csp_nonce }}"></script>
+<script src="{% url 'api-docs:schema-js' %}" nonce="{{ request.csp_nonce }}"></script>{% endcode %}</code></pre>