CSP Violation in Django REST Framework #3020
Comments
|
Good news: The key changes are: encode/django-rest-framework#7016, encode/django-rest-framework#8783, and encode/django-rest-framework#8784. |
|
Think it's worth asking for a release? I kind of hate pinned versions. |
|
Yup, exactly. Lurking in their discussion group, it doesn’t look like a release will be forthcoming. From a recent discussion in Django REST framework:
|
|
Wait, so their readme says it's supported, but the only way to get support is to use |
|
Evidently. I mean the readme is drawn from |
|
OK, well, let's do it, I guess. |
`django-rest-framework` has recieved several patches for CSP compatibility, but unfortunately these are not included in the latest release (3.14.0) and a new release cannot be expected for a while. As such, we must replace the semantically versioned PyPI reference with a reference to the latest commit on the master branch of the package's Git Repository (do not use `master` since it could change in unexpected and incompatible ways). Fixes: freelawproject#3020
`django-rest-framework` has recieved several patches for CSP compatibility, but unfortunately these are not included in the latest release (3.14.0) and a new release cannot be expected for a while. As such, we must replace the semantically versioned PyPI reference with a reference to the latest commit on the master branch of the package's Git Repository (do not use `master` since it could change in unexpected and incompatible ways). Fixes: freelawproject#3020
`django-rest-framework` has recieved several patches for CSP compatibility, but unfortunately these are not included in the latest release (3.14.0) and a new release cannot be expected for a while. As such, we must replace the semantically versioned PyPI reference with a reference to the latest commit on the master branch of the package's Git Repository (do not use `master` since it could change in unexpected and incompatible ways). Fixes: freelawproject#3020
`django-rest-framework` has recieved several patches for CSP compatibility, but unfortunately these are not included in the latest release (3.14.0) and a new release cannot be expected for a while. As such, we must replace the semantically versioned PyPI reference with a reference to the latest commit on the master branch of the package's Git Repository that contains the changes that we need (do not use `master` since it could change in unexpected and incompatible ways). Included in this change is the `inflection` package, unfortunate dependency added by encode/django-rest-framework#8017 and later made less obtrusive by encode/django-rest-framework#8781, but it did not eliminate it. Any usage of the schema generator must be done in an environment that includes this package. Fixes: freelawproject#3020
`django-rest-framework` has recieved several patches for CSP compatibility, but unfortunately these are not included in the latest release (3.14.0) and a new release cannot be expected for a while. As such, we must replace the semantically versioned PyPI reference with a reference to the latest commit on the master branch of the package's Git Repository that contains the changes that we need (do not use `master` since it could change in unexpected and incompatible ways). Included in this change is the use of `inflection` for the OpenAPI spec's `operationIds`, an unfortunate dependency added by encode/django-rest-framework#8017 and later made less obtrusive by encode/django-rest-framework#8781. Any usage of the schema generator must be done in an environment that includes this package. Additionally, this new approach makes the generated `operationId` that was `listPersons` into `listPeople`. Thankfully, this is immaterial. Fixes: freelawproject#3020
I found one!
If you load this page:
https://www.courtlistener.com/api/rest/v3/
You'll see that there's a CSP violation:
Drat. We'll want to fix this. I've noticed on the page, for example, that the OPTIONS button no longer works.
The text was updated successfully, but these errors were encountered: