Changes to make browsable API compatbile with strong CSP [WIP] by jxcl · Pull Request #5740 · encode/django-rest-framework (original) (raw)

Sorry! I got caught up in what I was doing and totally didn't realize I was using acronyms. CSP stands for Content Security Policy. (https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP).

A site using CSP (without unsafe-inline) will, by default, prevent inline javascript from running. Everything has to be loaded from other files. This mitigates the risk of XSS attacks, since if your application somehow renders valid and unescaped javascript from user input, it won't be run.

DRF is currently incompatible with a strong CSP precisely because it uses inline javascript. By injecting the template variables into javascript with an application/json tag instead of javascript and moving all current inline javascript to external files, DRF can be made compatible with a CSP that does not allow unsafe-inline.