Document CSP nonce requirements for Django Debug Toolbar compatibility

[robhudson]

In a comment it was pointed out that users with django-csp enabled may need some extra set up to allow the debug toolbar to function correctly. Since these users will get the nonce applied to the toolbar's <script> tags.

Perhaps some documentation along these lines should be included in the documentation...

---

Debug Toolbar and CSP Nonces

When using django-csp, the toolbar's inline <script> tags will include CSP nonces. To ensure the debug toolbar functions correctly during development, make sure the nonce is included in your script-src directive in the Content-Security-Policy header.

[Zerotask]

Thank you for creating this issue.

You also have to adjust the style-src and add unsafe-inline.

With django-csp you have to ensure, that your settings look like this:

CSP_SCRIPT_SRC = ["'self'", "'unsafe-inline'"]
CSP_STYLE_SRC = ["'self'", "'unsafe-inline'"]

In our case, we didn't want to set unsafe-inline for script-src and style-src and therefore I was a bit confused that I had these issues after updating it since it was nowhere documented that you need to do that.

[tim-schilling]

@robhudson is it possible for us to include example code for:

To ensure the debug toolbar functions correctly during development, make sure the nonce is included in your script-src directive in the Content-Security-Policy header.

[tim-schilling]

@robhudson this feels like it'll be handled via the code in #2088. Is that correct?

[robhudson]

You also have to adjust the style-src and add unsafe-inline.

With django-csp you have to ensure, that your settings look like this:

CSP_SCRIPT_SRC = ["'self'", "'unsafe-inline'"]
CSP_STYLE_SRC = ["'self'", "'unsafe-inline'"]

In our case, we didn't want to set unsafe-inline for script-src and style-src and therefore I was a bit confused that I had these issues after updating it since it was nowhere documented that you need to do that.

I'm a bit confused by this comment. I don't see any inlined javascript or CSS in the debug toolbar so I'm not sure why unsafe-inline would be required. Could you share the browser console error or what specifically in the toolbar was needing the unsafe-inline to work?

[robhudson]

@robhudson this feels like it'll be handled via the code in #2088. Is that correct?

I believe there's some nuances that should be documented still...

• If a project already uses nonces, then djdt will output nonces, which allows the scripts and styles to load.
• If a project doesn't use nonces, the project may need to ensure that the settings for script-src and style-src are set up correctly to allow the toolbar's assets to load.

Note: If a project is using django-csp <= 3.8, the set up is different than if using django-csp>=4.0 (which is currently in beta testing)

Note: Also, "uses nonces" means that the nonce settings are configured and also that the content generated during the request/response cycle accessed the nonce which triggers the creation of the nonce. If the content never accesses it, it doesn't not get generated and added to the CSP header.