Currently I am making use of unsafe-inline in my CSP_SCRIPT_SRC and CSP_STYLE_SRC which is not a recommended practice. Tried using 'nonce' and 'hashes' but they do not work since at some instances I'm using Django to generate templates and so I cannot use nonce there.
I tried referring to this issue but it did not work as well using media class and django csp helpers:
https://github.com/mozilla/django-csp/issues/119
the model is :
class OauthAuthenticationForm(AuthenticationForm):
username = UsernameField(widget=forms.TextInput(attrs={'autofocus': True, 'autocomplete': 'one-time-code'}))
password = forms.CharField(
label=_("Password"),
strip=False,
widget=forms.PasswordInput(attrs={'autocomplete': 'off','readonly':'True',
'onfocus':'this.removeAttribute("readonly");',
'onfocusout':"this.setAttribute('readonly','readonly');",
}))
How do I get rid of unsafe-inline? Any help would be truly appreciated. For the scripts where I could actually make changes, I added <script nonce={{request.csp_nonce}} and this is working fine.