| Age | Commit message (Collapse) | Author |
|
New default tag `{% csp_nonce_attr %}` was added for explicit CSP nonce
inclusion into `<script>` and `<link>` elements.
`{% csp_nonce_attr %}` renders `nonce="<value>"` when `csp_nonce` is
present in the template context, and renders nothing otherwise.
`{% csp_nonce_attr media %}` renders a `Media` object's assets with the
nonce attr applied to each tag.
Thanks Jacob Walls for the accurate and spot on review comments.
Co-authored-by: Johannes Maron <johannes@maron.family>
|
|
Rewrapped long docstrings and block comments to 79 characters + newline
using script from https://github.com/medmunds/autofix-w505.
|
|
This initial work adds a pair of settings to configure specific CSP
directives for enforcing or reporting policy violations, a new
`django.middleware.csp.ContentSecurityPolicyMiddleware` to apply the
appropriate headers to responses, and a context processor to support CSP
nonces in templates for safely inlining assets.
Relevant documentation has been added for the 6.0 release notes,
security overview, a new how-to page, and a dedicated reference section.
Thanks to the multiple reviewers for their precise and valuable feedback.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
|
|
|
|
Fixed inner imports per isort 5.
isort 5.0.0 to 5.1.0 was unstable.
|
|
|
|
|
|
|
|
|
|
The smart_* version should only be used when a lazy string should keep
its lazy status.
|
|
|
|
|
|
|
|
This significantly improves performance on PyPy. The previous
implementation would generate a new class on every single request,
which is relatively slow.
|
|
|
|
|