Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Usage when also using django-csp #946

Open
darakian opened this issue Jun 26, 2019 · 4 comments · May be fixed by #989
Open

Usage when also using django-csp #946

darakian opened this issue Jun 26, 2019 · 4 comments · May be fixed by #989

Comments

@darakian
Copy link

darakian commented Jun 26, 2019
edited

Hey all,

I've got a bunch of js files in html tempaltes which I'm compressing as

{% compress js %}
    <script src="{% static "dir1/code1.js" %}"></script>
    <script src="{% static "dir2/foo/bar/js/code2.js" %}"></script>
    <script src="{% static "dir2/foo/bar/js/code3.js" %}"></script>
    <script src="{% static "dir2/foo/bar/js/code4.js" %}"></script>
...
{% endcompress %}

And this works well. However I'm trying to add nonce-ing as

{% compress js %}
    <script nonce="{{request.csp_nonce}}" src="{% static "dir1/code1.js" %}"></script>
    <script nonce="{{request.csp_nonce}}" src="{% static "dir2/foo/bar/js/code2.js" %}"></script>
    <script nonce="{{request.csp_nonce}}" src="{% static "dir2/foo/bar/js/code3.js" %}"></script>
    <script nonce="{{request.csp_nonce}}" src="{% static "dir2/foo/bar/js/code4.js" %}"></script>
...
{% endcompress %}

The string {{request.csp_nonce}} seems to get picked up as a jinja variable and I'm getting a OfflineGenerationError: You have offline compression enabled but key "some hash" is missing from offline manifest. I've tried adding

COMPRESS_OFFLINE_CONTEXT = {
        'request.csp_nonce': '{{request.csp_nonce}}',
    }

to my settings file, but no dice. I've also checked the manifest file and indeed the hash is missing. I'm not sure where it's coming from. Has anyone worked with this combination? Am I missing something obvious?
@diox
Copy link
Member

diox commented Jun 26, 2019
edited

There are a couple issues here:

  • {{ request.csp_nonce }} is dynamic, so you can't easily have it in COMPRESS_OFFLINE_CONTEXT. (it can be a callable but that doesn't help much, you can't depend on the request)
  • Even if you did, compressor's uses its own templates for generating the <script> so it would just not be used at all.

The way out of this is to modify the template compressor uses (compressor/js_file.html or compressor/js_inline.html, include your own in one of your template dirs making sure it's overriding compressor's) to make use of {{ request.csp_nonce }}. Essentially doing it that way completely bypasses the offline context problem entirely.

Ideally, someone (you? :) would make a patch against compressor that does this automatically if a request_csp_nonce=True parameter is passed and django-csp is installed, it could be useful to others.

@darakian
Copy link
Author

darakian commented Jun 26, 2019
edited

@diox Thanks for the info. This is actually my first brush with compressor. I'll look into making a PR for this as having it upstream would certainly be better for me as well. Let me look at this and I'll put something up. Thanks for the lead.

@darakian darakian mentioned this issue Jun 26, 2019
Closed
@darakian
Copy link
Author

I've opened a PR here #947 with the rudiments of the idea.

iamareebjamal added a commit to iamareebjamal/django-compressor that referenced this issue Feb 17, 2020
@iamareebjamal
WIP: Add Django CSP nonce support
deacec9 
- [ ] Add template changes
- [ ] Add branches for non-csp users

Fixes django-compressor#946
@iamareebjamal iamareebjamal linked a pull request Feb 17, 2020 that will close this issue
Open
3 tasks
iamareebjamal added a commit to iamareebjamal/django-compressor that referenced this issue Feb 18, 2020
@iamareebjamal
WIP: Add Django CSP nonce support
168eb83 
- [ ] Add template changes
- [ ] Add branches for non-csp users

Fixes django-compressor#946
@DylanYoung
Copy link

DylanYoung commented May 28, 2022
edited

Seems to me this would be better handled in django-csp.

I think we'd just have to modify https://github.com/mozilla/django-csp/blob/main/csp/utils.py#L158 to check for src attribute and if one exists, pull it up to the nonced script (and raise an error if there was also content).

(as long as that plays well with offline compression, but I don't see why it wouldn't).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add Django CSP nonce support iamareebjamal/django-compressor
3 participants
@diox @darakian @DylanYoung