You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I load this view/template in a modal that is in the homepage. If I include 'unsafe-inline, no issues. It works. Form/view/template behaves normally. Without unsafe-inline and just the above policies, it gives the following error:
[Error] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. (mmHomepage, line 0)
I load the view as its own page/template; not a modal. Straight forward Django template. With CSP policies as above, the page works normally. No errors.
I suspect it is the way a view/template is handled by bootstrap modals. Not sure where to look. I am new to Django-csp so not familiar with this. Just started familiarizing myself with the spec.
I also tried bringing this js code into the template, so not calling a separate file. No luck. Same error.
UPDATE: I used a decorator to override CSP on the homepage view:
This allowed the modal template JS to run without any errors.
Overriding the modal view with csp_exempt, however, and leaving the policy in place on the homepage, does not work.
I confirmed using curl that the modal view/template still had the same CSP policy applied; It did.
So... essentially it appears that the homepage CSP is conflicting with the modal template CSP.
I'll continue plugging away but any suggestions are welcome!
Please help! Thanks!
The text was updated successfully, but these errors were encountered:
ChefCodev
changed the title
Why does my content-security-profile not work properly for a view/template loaded in a bootstrap modal? Works fine otherwise
Modal that loads new view/template into another view/template doesn't respect the CSP; Fails to run scripts.
Oct 8, 2024
I didn't include the template code because it is irrelevant. This is the script tag in the template:
In Settings.py
So two scenarios...
I load this view/template in a modal that is in the homepage. If I include 'unsafe-inline, no issues. It works. Form/view/template behaves normally. Without unsafe-inline and just the above policies, it gives the following error:
[Error] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. (mmHomepage, line 0)
I load the view as its own page/template; not a modal. Straight forward Django template. With CSP policies as above, the page works normally. No errors.
I suspect it is the way a view/template is handled by bootstrap modals. Not sure where to look. I am new to Django-csp so not familiar with this. Just started familiarizing myself with the spec.
I also tried bringing this js code into the template, so not calling a separate file. No luck. Same error.
UPDATE: I used a decorator to override CSP on the homepage view:
This allowed the modal template JS to run without any errors.
Overriding the modal view with csp_exempt, however, and leaving the policy in place on the homepage, does not work.
I confirmed using curl that the modal view/template still had the same CSP policy applied; It did.
So... essentially it appears that the homepage CSP is conflicting with the modal template CSP.
I'll continue plugging away but any suggestions are welcome!
Please help! Thanks!
The text was updated successfully, but these errors were encountered: