Support the strictest CSP with nonce for scripts

Mogost · Mogost · commit 93a091304e1a · 2024-08-23T23:19:56.000+05:00
diff --git a/rest_framework/templates/rest_framework/admin.html b/rest_framework/templates/rest_framework/admin.html
@@ -244,19 +244,19 @@ <h4 class="modal-title" id="myModalLabel">{{ error_title }}</h4>
       {% endif %}
 
       {% block script %}
-        <script type="application/json" id="drf_csrf">
+        <script type="application/json" id="drf_csrf" nonce="{{ request.csp_nonce }}">
           {
             "csrfHeaderName": "{{ csrf_header_name|default:'X-CSRFToken' }}",
             "csrfToken": "{{ csrf_token }}"
           }
         </script>
-        <script src="{% static "rest_framework/js/jquery-3.7.1.min.js" %}"></script>
-        <script src="{% static "rest_framework/js/ajax-form.js" %}"></script>
-        <script src="{% static "rest_framework/js/csrf.js" %}"></script>
-        <script src="{% static "rest_framework/js/bootstrap.min.js" %}"></script>
-        <script src="{% static "rest_framework/js/prettify-min.js" %}"></script>
-        <script src="{% static "rest_framework/js/default.js" %}"></script>
-        <script src="{% static "rest_framework/js/load-ajax-form.js" %}"></script>
+        <script src="{% static "rest_framework/js/jquery-3.7.1.min.js" %}" nonce="{{ request.csp_nonce }}"></script>
+        <script src="{% static "rest_framework/js/ajax-form.js" %}" nonce="{{ request.csp_nonce }}"></script>
+        <script src="{% static "rest_framework/js/csrf.js" %}" nonce="{{ request.csp_nonce }}"></script>
+        <script src="{% static "rest_framework/js/bootstrap.min.js" %}" nonce="{{ request.csp_nonce }}"></script>
+        <script src="{% static "rest_framework/js/prettify-min.js" %}" nonce="{{ request.csp_nonce }}"></script>
+        <script src="{% static "rest_framework/js/default.js" %}" nonce="{{ request.csp_nonce }}"></script>
+        <script src="{% static "rest_framework/js/load-ajax-form.js" %}" nonce="{{ request.csp_nonce }}"></script>
       {% endblock %}
     </body>
   {% endblock %}
diff --git a/rest_framework/templates/rest_framework/base.html b/rest_framework/templates/rest_framework/base.html
@@ -287,19 +287,19 @@ <h1>{{ name }}</h1>
     {% endif %}
 
     {% block script %}
-      <script type="application/json" id="drf_csrf">
+      <script type="application/json" id="drf_csrf" nonce="{{ request.csp_nonce }}">
         {
           "csrfHeaderName": "{{ csrf_header_name|default:'X-CSRFToken' }}",
           "csrfToken": "{% if request %}{{ csrf_token }}{% endif %}"
         }
       </script>
-      <script src="{% static "rest_framework/js/jquery-3.7.1.min.js" %}"></script>
-      <script src="{% static "rest_framework/js/ajax-form.js" %}"></script>
-      <script src="{% static "rest_framework/js/csrf.js" %}"></script>
-      <script src="{% static "rest_framework/js/bootstrap.min.js" %}"></script>
-      <script src="{% static "rest_framework/js/prettify-min.js" %}"></script>
-      <script src="{% static "rest_framework/js/default.js" %}"></script>
-      <script src="{% static "rest_framework/js/load-ajax-form.js" %}"></script>
+      <script src="{% static "rest_framework/js/jquery-3.7.1.min.js" %}" nonce="{{ request.csp_nonce }}"></script>
+      <script src="{% static "rest_framework/js/ajax-form.js" %}" nonce="{{ request.csp_nonce }}"></script>
+      <script src="{% static "rest_framework/js/csrf.js" %}" nonce="{{ request.csp_nonce }}"></script>
+      <script src="{% static "rest_framework/js/bootstrap.min.js" %}" nonce="{{ request.csp_nonce }}"></script>
+      <script src="{% static "rest_framework/js/prettify-min.js" %}" nonce="{{ request.csp_nonce }}"></script>
+      <script src="{% static "rest_framework/js/default.js" %}" nonce="{{ request.csp_nonce }}"></script>
+      <script src="{% static "rest_framework/js/load-ajax-form.js" %}" nonce="{{ request.csp_nonce }}"></script>
     {% endblock %}
 
   </body>
diff --git a/rest_framework/templates/rest_framework/docs/error.html b/rest_framework/templates/rest_framework/docs/error.html
@@ -66,6 +66,6 @@ <h2>Overriding this template</h2>
 
 
 
-        <script src="{% static 'rest_framework/js/jquery-3.7.1.min.js' %}"></script>
+        <script src="{% static 'rest_framework/js/jquery-3.7.1.min.js' %}" nonce="{{ request.csp_nonce }}"></script>
     </body>
 </html>
diff --git a/rest_framework/templates/rest_framework/docs/index.html b/rest_framework/templates/rest_framework/docs/index.html
@@ -17,8 +17,8 @@
         <link href="{% static 'rest_framework/docs/img/favicon.ico' %}" rel="shortcut icon">
 
         {% if code_style %}<style>{{ code_style }}</style>{% endif %}
-        <script src="{% static 'rest_framework/js/coreapi-0.1.1.js' %}"></script>
-        <script src="{% url 'api-docs:schema-js' %}"></script>
+        <script src="{% static 'rest_framework/js/coreapi-0.1.1.js' %}" nonce="{{ request.csp_nonce }}"></script>
+        <script src="{% url 'api-docs:schema-js' %}" nonce="{{ request.csp_nonce }}"></script>
 
     </head>
 
@@ -38,11 +38,11 @@
         {% include "rest_framework/docs/auth/basic.html" %}
         {% include "rest_framework/docs/auth/session.html" %}
 
-        <script src="{% static 'rest_framework/js/jquery-3.7.1.min.js' %}"></script>
-        <script src="{% static 'rest_framework/js/bootstrap.min.js' %}"></script>
-        <script src="{% static 'rest_framework/docs/js/jquery.json-view.min.js' %}"></script>
-        <script src="{% static 'rest_framework/docs/js/api.js' %}"></script>
-        <script>
+        <script src="{% static 'rest_framework/js/jquery-3.7.1.min.js' %}" nonce="{{ request.csp_nonce }}"></script>
+        <script src="{% static 'rest_framework/js/bootstrap.min.js' %}" nonce="{{ request.csp_nonce }}"></script>
+        <script src="{% static 'rest_framework/docs/js/jquery.json-view.min.js' %}" nonce="{{ request.csp_nonce }}"></script>
+        <script src="{% static 'rest_framework/docs/js/api.js' %}" nonce="{{ request.csp_nonce }}"></script>
+        <script nonce="{{ request.csp_nonce }}">
             {% if user.is_authenticated %}
                 window.auth = {
                     'type': 'session',
diff --git a/rest_framework/templates/rest_framework/docs/langs/javascript-intro.html b/rest_framework/templates/rest_framework/docs/langs/javascript-intro.html
@@ -1,5 +1,5 @@
 {% load rest_framework %}
 {% load static %}
 <pre class="highlight javascript hide" data-language="javascript"><code>{% code html %}<!-- Load the JavaScript client library -->
-<script src="{% static 'rest_framework/js/coreapi-0.1.1.js' %}"></script>
-<script src="{% url 'api-docs:schema-js' %}"></script>{% endcode %}</code></pre>
+<script src="{% static 'rest_framework/js/coreapi-0.1.1.js' %}" nonce="{{ request.csp_nonce }}"></script>
+<script src="{% url 'api-docs:schema-js' %}" nonce="{{ request.csp_nonce }}"></script>{% endcode %}</code></pre>
