Why does my content-security-profile (django-csp) not work properly for a view/template loaded in a bootstrap modal? Works fine otherwise
I didn't include the template code because it is irrelevant. This is the script tag in the template:
<script nonce="{{ CSP_NONCE }}" src="{% static 'js/mmImport.js' %}" defer
data-mmimporturl="{% url 'mmImport' %}">
</script>
Settings.py
MIDDLEWARE = [
'csp.middleware.CSPMiddleware'
....]
# Content Security Policy',
CSP_DEFAULT_SRC = ("'self'")
CSP_IMG_SRC = ("'self'")
CSP_STYLE_SRC = ("'self'")
CSP_SCRIPT_SRC = ("'self'")
CSP_INCLUDE_NONCE_IN = ('script-src')`
So two scenarios...
- I load this view/template in a modal that is in the homepage. If I include 'unsafe-inline, no issues. It works. Form/view/template behaves normally. Without unsafe-inline and just the above policies, it gives the following error:
[Error] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. (mmHomepage, line 0)
- I load the view as its own page/template; not a modal. Straight forward Django template. With CSP policies as above, the page works normally. No errors.
I suspect it is the way a view/template is handled by bootstrap modals. Not sure where to look. I am new to Django-csp so not familiar with this. Just started familiarizing myself with the spec.
I also tried bringing this js code into the template, so not calling a separate file. No luck. Same error.
Please help! Thanks!