Document CSP nonce requirements for Django Debug Toolbar compatibility

[robhudson]

In a comment it was pointed out that users with django-csp enabled may need some extra set up to allow the debug toolbar to function correctly. Since these users will get the nonce applied to the toolbar's <script> tags.

Perhaps some documentation along these lines should be included in the documentation...

---

Debug Toolbar and CSP Nonces

When using django-csp, the toolbar's inline <script> tags will include CSP nonces. To ensure the debug toolbar functions correctly during development, make sure the nonce is included in your script-src directive in the Content-Security-Policy header.

[Zerotask]

Thank you for creating this issue.

You also have to adjust the style-src and add unsafe-inline.

With django-csp you have to ensure, that your settings look like this:

CSP_SCRIPT_SRC = ["'self'", "'unsafe-inline'"]
CSP_STYLE_SRC = ["'self'", "'unsafe-inline'"]

In our case, we didn't want to set unsafe-inline for script-src and style-src and therefore I was a bit confused that I had these issues after updating it since it was nowhere documented that you need to do that.

[tim-schilling]

@robhudson is it possible for us to include example code for:

To ensure the debug toolbar functions correctly during development, make sure the nonce is included in your script-src directive in the Content-Security-Policy header.