This content originally appeared on DEV Community and was authored by Chiemezuo
On May 8, 2025, I received an email stating that my proposal, titled “Content Security Policy Compatibility,” for the Wagtail CMS had been accepted. It was an exciting moment, and 3 months later, I’m here to share how things went, along with links to all of the work that was done.
Introduction
I’ll start with some context to understand the GSoC project topic, the state of things before the project, the state of things after changes from the project are merged, as well as a scope on what can be done in the future.
First of all, what is CSP? To quote the Mozilla documentation: “CSP is a feature that helps to prevent or minimize the risk of certain types of security threats. If that’s confusing, here’s a reference to an explanation of CSP from an article I wrote during my project.
The Starting Point
The foundation of this project was laid in 2015 via a GitHub issue. Some fixes and discussions went on from that issue, and a few years later, another issue was created as a more up-to-date listing of Wagtail components that triggered strict CSP violations. Now, in 2025, an even more recent CSP audit was conducted.
All of this means that at the time of commencement of my project, the Wagtail CMS had a handful of issues holding it back from supporting strict CSP, which were summarized in this comment. This made planning very straightforward, so my mentor Sage and I drafted a GitHub project board that became the reference guide for my GSoC 2025.
Finally, making CSP improvements would be nothing without a place to test and document them. The BakeryDemo and Wagtail.org websites were ideal for having a template developers could walk through, and a production site with CSP running.
What I did
The project was divided into sprints of focused tasks, with the easier fixes being addressed first, to make room for tasks that depended on other members of the community. There was a pull request for refactoring the HTML and CSS across the CMS to remove the usage of inline style-src. My mentor and I reviewed this and quickly merged. This was the first merge of my project. Shortly after, I sent in another Pull Request (PR) for inline style-src, for issues resulting from JavaScript code.
After style-src, the logical progression was to try to tackle script-src issues in the codebase. However, the culprit component causing these problems was a part of a larger system that required a refactor: Inline Panels. The first part of the refactor was already in the works by LB and some of the Wagtail Core team members. While that was in review, I proceeded to fix an issue with a client-facing aspect: background positioning. This depended on some feedback from the core team.
The primary target of the next sprint was inline panel refactoring. There was a PR already in place for this, but it was incomplete and needed a review of the intended implementation. The contributor allowed me to continue working on it, and I did that in a separate branch/PR. Work on the new branch went on asynchronously and is still in the works at the time of writing this. The async nature of it allowed me to take on some other tasks in the sprint period, most notably of which was setting up a local version of the Draftail editor, which is Wagtail’s editing interface. The editor itself had some dynamic style generation, which wasn’t CSP-friendly. I started work on it, but didn’t have a clear sense of direction, and came up with a draft of what could work. My mentor and I agreed on having the draft PR as a reference, and adding it to the backlog to focus on things where there was already a clearer direction.
The following sprint fell during the time of Wagtail’s code freeze, which is the span of time just before a new Wagtail release, where code changes do not get merged until after the release. For that Sprint, I focused on reviewing existing and pending CSP-related issues and tasks. It was a period of research and exploration of some options for potential CSP issues. During this period, I also worked on a way to prevent new CSP issues from creeping in in the future. I had the idea of a “code checker”, and my mentor mentioned writing a Semgrep rule to perform the checks. I wrote the rules in this PR, and made a note to plan towards moving the JavaScript/TypeScript checks to Wagtail’s ESLint repo. The last activity of this sprint was checking that SVGs, when uploaded, would not violate CSP directives when they contained inline styles. This investigation was done, and SVGs didn’t get in the way.
With these out of the way, the next steps (in no specific order) were migrating the file title generation logic on image and document upload to use a Stimulus approach, testing Wagtail with Django 6.0’s in-built CSP package, establishing a CSP baseline with Django 6.0 on both the BakeryDemo and the Wagtail.org, documenting my findings, pushing my work to more public lights for scrutiny and feedback, investigating deeper into the codebase with a focus on dynamic scripts, and putting finishing touches to existing PRs.
The Current State
At the time of writing this, some of the work I did has been merged, and some is still under review. There has been progress in the state of Wagtail’s strict CSP compatibility, and there will soon be another CSP audit when the rest of the unmerged/unreviewed changes are finalized and merged. The GSoC project, along with the addition of CSP to the Wagtail roadmap, has also garnered some interest in seeing the CSP goal achieved.
What’s left to do
At the time of writing this, the pending parts from the GSoC project board are:
- Fixing the Draftail editor’s dynamic styles.
- Fixing some dynamically injected JavaScript code from within Python in the Wagtail code.
- Giving a full report on my CSP test findings using the upcoming Django 6.0 in both the BakeryDemo and Wagtail.org projects.
- Finalizing/merging the pending PRs already linked in this blog post.
Thoughts
It’s been magical watching and being a part of how a 10-year-old GitHub issue might finally be closed. This is one of those moments I am truly grateful for, that only open-source software can give. The last 3 months have been full of nothing but excitement, learning, and collaboration.
I’m grateful to my mentors Sage & Thibaud, LB, and the Wagtail community as a whole for being such great teachers and collaborators. They made my GSoC experience amazing.
Finally, big thanks to Google for giving me a life-changing experience.
Till next time!
Cheers.
This content originally appeared on DEV Community and was authored by Chiemezuo