| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2026-05-06 | Fixed #36784 -- Added csp_nonce_attr template tag for CSP nonce inclusion. | Natalia | |
| New default tag `{% csp_nonce_attr %}` was added for explicit CSP nonce inclusion into `<script>` and `<link>` elements. `{% csp_nonce_attr %}` renders `nonce="<value>"` when `csp_nonce` is present in the template context, and renders nothing otherwise. `{% csp_nonce_attr media %}` renders a `Media` object's assets with the nonce attr applied to each tag. Thanks Jacob Walls for the accurate and spot on review comments. Co-authored-by: Johannes Maron <johannes@maron.family> | |||
| 2025-06-27 | Fixed #15727 -- Added Content Security Policy (CSP) support. | Rob Hudson | |
| This initial work adds a pair of settings to configure specific CSP directives for enforcing or reporting policy violations, a new `django.middleware.csp.ContentSecurityPolicyMiddleware` to apply the appropriate headers to responses, and a context processor to support CSP nonces in templates for safely inlining assets. Relevant documentation has been added for the 6.0 release notes, security overview, a new how-to page, and a dedicated reference section. Thanks to the multiple reviewers for their precise and valuable feedback. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> | |||
