After testing locally, this fixes the CSP warnings in the developer console, if you have a strict CSP like script-src: 'self' that doesn't allow 'unsafe-inline'.

thanks

I came across this pull request as I am currently adding CSP to our Django application. We are using the django rest framework in version 3.14.

With the changes in this PR the load-ajax-form errors are fixed for me.

But the line 290 in base.html is also generating a CSP error.

<script type="application/json" id="drf_csrf">
        {
          "csrfHeaderName": "{{ csrf_header_name|default:'X-CSRFToken' }}",
          "csrfToken": "{% if request %}{{ csrf_token }}{% endif %}"
        }
</script>

I think the same approach makes sense in this case and the inline script should be outsourced, as we already have a csrf.js file.

I'm looking forward to your feedback

@mnacken Thank you for reporting! There was an existing PR to fix this issue which I tested (in Chrome and Firefox) then merged:
#7016

Above changed an inline script to use JSON instead of real javascript, which appeared to prevent the script from actually executing. It just made the data / token available in the page HTML.

I'm not sure what browser you're using or why the new form still causes errors, but I'd be happy to look over a PR if you want to submit one. I guess using an external script is also a cleaner, more consistent approach than this dirty hack 😄

Thx for response, you are right!
I made it easy for myself and made the changes manually. With the changes from #7016 its fine!

Is there any roadmap/timeline for releasing version 3.15?

There is a milestone for it:
https://github.com/encode/django-rest-framework/milestone/78

I assume it will be released when all the linked issues are complete, but I don't actually know for sure.

most probably by the end of this month or first half of next month