encode/django-rest-framework
1
1
Fork 0
mirror of https://github.com/encode/django-rest-framework.git synced 2025-11-04 01:47:59 +03:00
Code Issues Packages Projects Releases Wiki Activity

Support the strictest CSP with nonce for scripts

Browse Source
This commit is contained in:
Alexandr Artemyev 2024-08-23 23:19:56 +05:00 committed by Alexandr Artemyev
parent f113ab6b68
commit 93a091304e
No known key found for this signature in database
5 changed files with 26 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
rest_framework/templates/rest_framework/admin.html
View File

@ -244,19 +244,19 @@
{% endif %} {% endif %}
{% block script %} {% block script %}
<script type="application/json" id="drf_csrf"> <script type="application/json" id="drf_csrf" nonce="{{ request.csp_nonce }}">
{ {
"csrfHeaderName": "{{ csrf_header_name|default:'X-CSRFToken' }}", "csrfHeaderName": "{{ csrf_header_name|default:'X-CSRFToken' }}",
"csrfToken": "{{ csrf_token }}" "csrfToken": "{{ csrf_token }}"
} }
</script> </script>
<script src="{% static "rest_framework/js/jquery-3.7.1.min.js" %}"></script> <script src="{% static "rest_framework/js/jquery-3.7.1.min.js" %}" nonce="{{ request.csp_nonce }}"></script>
<script src="{% static "rest_framework/js/ajax-form.js" %}"></script> <script src="{% static "rest_framework/js/ajax-form.js" %}" nonce="{{ request.csp_nonce }}"></script>
<script src="{% static "rest_framework/js/csrf.js" %}"></script> <script src="{% static "rest_framework/js/csrf.js" %}" nonce="{{ request.csp_nonce }}"></script>
<script src="{% static "rest_framework/js/bootstrap.min.js" %}"></script> <script src="{% static "rest_framework/js/bootstrap.min.js" %}" nonce="{{ request.csp_nonce }}"></script>
<script src="{% static "rest_framework/js/prettify-min.js" %}"></script> <script src="{% static "rest_framework/js/prettify-min.js" %}" nonce="{{ request.csp_nonce }}"></script>
<script src="{% static "rest_framework/js/default.js" %}"></script> <script src="{% static "rest_framework/js/default.js" %}" nonce="{{ request.csp_nonce }}"></script>
<script src="{% static "rest_framework/js/load-ajax-form.js" %}"></script> <script src="{% static "rest_framework/js/load-ajax-form.js" %}" nonce="{{ request.csp_nonce }}"></script>
{% endblock %} {% endblock %}
</body> </body>
{% endblock %} {% endblock %}

16
rest_framework/templates/rest_framework/base.html
View File

@ -287,19 +287,19 @@
{% endif %} {% endif %}
{% block script %} {% block script %}
<script type="application/json" id="drf_csrf"> <script type="application/json" id="drf_csrf" nonce="{{ request.csp_nonce }}">
{ {
"csrfHeaderName": "{{ csrf_header_name|default:'X-CSRFToken' }}", "csrfHeaderName": "{{ csrf_header_name|default:'X-CSRFToken' }}",
"csrfToken": "{% if request %}{{ csrf_token }}{% endif %}" "csrfToken": "{% if request %}{{ csrf_token }}{% endif %}"
} }
</script> </script>
<script src="{% static "rest_framework/js/jquery-3.7.1.min.js" %}"></script> <script src="{% static "rest_framework/js/jquery-3.7.1.min.js" %}" nonce="{{ request.csp_nonce }}"></script>
<script src="{% static "rest_framework/js/ajax-form.js" %}"></script> <script src="{% static "rest_framework/js/ajax-form.js" %}" nonce="{{ request.csp_nonce }}"></script>
<script src="{% static "rest_framework/js/csrf.js" %}"></script> <script src="{% static "rest_framework/js/csrf.js" %}" nonce="{{ request.csp_nonce }}"></script>
<script src="{% static "rest_framework/js/bootstrap.min.js" %}"></script> <script src="{% static "rest_framework/js/bootstrap.min.js" %}" nonce="{{ request.csp_nonce }}"></script>
<script src="{% static "rest_framework/js/prettify-min.js" %}"></script> <script src="{% static "rest_framework/js/prettify-min.js" %}" nonce="{{ request.csp_nonce }}"></script>
<script src="{% static "rest_framework/js/default.js" %}"></script> <script src="{% static "rest_framework/js/default.js" %}" nonce="{{ request.csp_nonce }}"></script>
<script src="{% static "rest_framework/js/load-ajax-form.js" %}"></script> <script src="{% static "rest_framework/js/load-ajax-form.js" %}" nonce="{{ request.csp_nonce }}"></script>
{% endblock %} {% endblock %}
</body> </body>

2
rest_framework/templates/rest_framework/docs/error.html
View File

@ -66,6 +66,6 @@ at <code>rest_framework/docs/error.html</code>.</p>
<script src="{% static 'rest_framework/js/jquery-3.7.1.min.js' %}"></script> <script src="{% static 'rest_framework/js/jquery-3.7.1.min.js' %}" nonce="{{ request.csp_nonce }}"></script>
</body> </body>
</html> </html>

14
rest_framework/templates/rest_framework/docs/index.html
View File

@ -17,8 +17,8 @@
<link href="{% static 'rest_framework/docs/img/favicon.ico' %}" rel="shortcut icon"> <link href="{% static 'rest_framework/docs/img/favicon.ico' %}" rel="shortcut icon">
{% if code_style %}<style>{{ code_style }}</style>{% endif %} {% if code_style %}<style>{{ code_style }}</style>{% endif %}
<script src="{% static 'rest_framework/js/coreapi-0.1.1.js' %}"></script> <script src="{% static 'rest_framework/js/coreapi-0.1.1.js' %}" nonce="{{ request.csp_nonce }}"></script>
<script src="{% url 'api-docs:schema-js' %}"></script> <script src="{% url 'api-docs:schema-js' %}" nonce="{{ request.csp_nonce }}"></script>
</head> </head>
@ -38,11 +38,11 @@
{% include "rest_framework/docs/auth/basic.html" %} {% include "rest_framework/docs/auth/basic.html" %}
{% include "rest_framework/docs/auth/session.html" %} {% include "rest_framework/docs/auth/session.html" %}
<script src="{% static 'rest_framework/js/jquery-3.7.1.min.js' %}"></script> <script src="{% static 'rest_framework/js/jquery-3.7.1.min.js' %}" nonce="{{ request.csp_nonce }}"></script>
<script src="{% static 'rest_framework/js/bootstrap.min.js' %}"></script> <script src="{% static 'rest_framework/js/bootstrap.min.js' %}" nonce="{{ request.csp_nonce }}"></script>
<script src="{% static 'rest_framework/docs/js/jquery.json-view.min.js' %}"></script> <script src="{% static 'rest_framework/docs/js/jquery.json-view.min.js' %}" nonce="{{ request.csp_nonce }}"></script>
<script src="{% static 'rest_framework/docs/js/api.js' %}"></script> <script src="{% static 'rest_framework/docs/js/api.js' %}" nonce="{{ request.csp_nonce }}"></script>
<script> <script nonce="{{ request.csp_nonce }}">
{% if user.is_authenticated %} {% if user.is_authenticated %}
window.auth = { window.auth = {
'type': 'session', 'type': 'session',

4
rest_framework/templates/rest_framework/docs/langs/javascript-intro.html
View File

@ -1,5 +1,5 @@
{% load rest_framework %} {% load rest_framework %}
{% load static %} {% load static %}
<pre class="highlight javascript hide" data-language="javascript"><code>{% code html %}<!-- Load the JavaScript client library --> <pre class="highlight javascript hide" data-language="javascript"><code>{% code html %}<!-- Load the JavaScript client library -->
<script src="{% static 'rest_framework/js/coreapi-0.1.1.js' %}"></script> <script src="{% static 'rest_framework/js/coreapi-0.1.1.js' %}" nonce="{{ request.csp_nonce }}"></script>
<script src="{% url 'api-docs:schema-js' %}"></script>{% endcode %}</code></pre> <script src="{% url 'api-docs:schema-js' %}" nonce="{{ request.csp_nonce }}"></script>{% endcode %}</code></pre>