Towards strict CSP Support via GSoC 2025
Improving Wagtail’s security with strict Content Security Policy support
On May 8, 2025, I received an email stating that my Google Summer of Code proposal had been accepted. It was an exciting moment, and 3 months later, I'm here to share how things went, along with links to all of the work that was done.
What Content Security Policies are for
Content Security Policies are a browser feature that helps to prevent or minimize the risk of certain types of security threats. For Wagtail, the foundation of this project was laid in 2015 via a GitHub issue. Some fixes and discussions went on from that issue, and a few years later, another issue was created as a more up-to-date listing of Wagtail components that triggered strict CSP violations. Now, in 2025, an even more recent CSP audit was conducted.
All of this means that at the time of commencement of my project, the Wagtail CMS had a handful of issues holding it back from supporting strict CSP, which were summarized in this comment. This made planning very straightforward, so my mentor Sage and I drafted a GitHub project board that became the reference guide for my GSoC 2025.
What it means in Wagtail
In the context of Wagtail, it would be very straightforward to support basic CSP configurations, or even strict ones with nonces. But to get the best possible support, we decided to take on the needed refactorings. Not only that but to also take the time to demonstrate CSPs: this work would be nothing without a place to test and document what is possible. The BakeryDemo and Wagtail.org websites were ideal for having a template developers could walk through, and a production site with CSP running.
Project tasks
The project was divided into sprints of focused tasks, with the easier fixes being addressed first, to make room for tasks that depended on other members of the community. There was a pull request for refactoring the HTML and CSS across the CMS to remove the usage of inline style-src. My mentor and I reviewed this and quickly merged. This was the first merge of my project. Shortly after, I sent in another Pull Request (PR) for inline style-src, for issues resulting from JavaScript code.
InlinePanel refactors
After style-src, the logical progression was to try to tackle script-src issues in the codebase. However, the culprit component causing these problems was a part of a larger system that required a refactor: Inline Panels. The first part of the refactor was already in the works by LB and other core team members. While that was in review, I proceeded to fix an issue with a client-facing aspect: background positioning. This depended on some feedback from the core team.
The primary target of the next sprint was inline panel refactoring. There was a PR already in place for this, but it was incomplete and needed a review of the intended implementation. The contributor allowed me to continue working on it, and I did that in a separate branch/PR. Work on the new branch went on asynchronously and is still in the works at the time of writing this. The async nature of it allowed me to take on some other tasks in the sprint period, most notably of which was setting up a local version of the Draftail editor, which is Wagtail's editing interface. The editor itself had some dynamic style generation, which wasn't CSP-friendly. I started work on it, but didn't have a clear sense of direction, and came up with a draft of what could work. My mentor and I agreed on having the draft PR as a reference, and adding it to the backlog to focus on things where there was already a clearer direction.
Automated checkers
The following sprint fell during the time of Wagtail's code freeze, which is the span of time just before a new Wagtail release, where code changes do not get merged until after the release. For that Sprint, I focused on reviewing existing and pending CSP-related issues and tasks. It was a period of research and exploration of some options for potential CSP issues. During this period, I also worked on a way to prevent new CSP issues from creeping in in the future. I had the idea of a "code checker", and my mentor mentioned writing a Semgrep rule to perform the checks. I wrote the rules in this PR, and made a note to plan towards moving the JavaScript/TypeScript checks to Wagtail's ESLint repo. The last activity of this sprint was checking that SVGs, when uploaded, would not violate CSP directives when they contained inline styles. This investigation was done, and SVGs didn't get in the way.
CSP support in Django 6.0
With these out of the way, the next steps (in no specific order) were migrating the file title generation logic on image and document upload to use a Stimulus approach, testing Wagtail with Django 6.0's in-built CSP support, establishing a CSP baseline with Django 6.0 on both the BakeryDemo and the Wagtail.org, documenting my findings, pushing my work to more public lights for scrutiny and feedback, investigating deeper into the codebase with a focus on dynamic scripts, and putting finishing touches to existing PRs.
The current state
At the time of writing this, some of the work I did has been merged, and some is still under review. There has been progress in the state of Wagtail's strict CSP compatibility, and there will soon be another CSP audit when the rest of the unmerged/unreviewed changes are finalized and merged. The GSoC project, along with the addition of CSP to the Wagtail roadmap, has also garnered some interest in seeing the CSP goal achieved.
What's left to do
At the time of writing this, the pending parts from the GSoC project board are:
- Fixing the Draftail editor's dynamic styles.
- Fixing some dynamically injected JavaScript code from within Python in the Wagtail code.
- Giving a full report on my CSP test findings using the upcoming Django 6.0 in both the BakeryDemo and Wagtail.org projects.
- Finalizing/merging the pending PRs already linked in this blog post.
Thoughts
It's been magical watching and being a part of how a 10-year-old GitHub issue might finally be closed. This is one of those moments I am truly grateful for, that only open-source software can give. The last 3 months have been full of nothing but excitement, learning, and collaboration.
I'm grateful to my mentors Sage & Thibaud, LB, and the Wagtail community as a whole for being such great teachers and collaborators. They made my GSoC experience amazing. And big thanks to Google for giving me a life-changing experience!
As to what’s next for me, I will be speaking about my open source experiences at Wagtail Space 2025, next week!