diff --git a/csp/tests/test_decorators.py b/csp/tests/test_decorators.py index d962d9f..4fca9b8 100644 --- a/csp/tests/test_decorators.py +++ b/csp/tests/test_decorators.py @@ -224,7 +224,7 @@ def view_with_decorator(request): response = view_with_decorator(REQUEST) mw.process_response(REQUEST, response) assert response._csp_select == ('new_policy', 'default') - assert response[HEADER] == "font-src bar.com; default-src 'self'" + assert response[HEADER] == "font-src bar.com, default-src 'self'" assert REPORT_ONLY_HEADER not in response diff --git a/csp/tests/test_middleware.py b/csp/tests/test_middleware.py index 0fa34ea..f5a56e5 100644 --- a/csp/tests/test_middleware.py +++ b/csp/tests/test_middleware.py @@ -1,3 +1,4 @@ +from django.conf import settings from django.http import ( HttpResponse, HttpResponseServerError, @@ -40,14 +41,17 @@ def test_exempt(): @override_settings( CSP_POLICIES=('default', 'report'), - CSP_EXCLUDE_URL_PREFIXES=('/inlines-r-us',), ) def test_exclude(): + settings.CSP_POLICY_DEFINITIONS['default']['exclude_url_prefixes'] = ( + '/inlines-r-us', + ) request = rf.get('/inlines-r-us/foo') response = HttpResponse() mw.process_response(request, response) assert HEADER not in response assert response[REPORT_ONLY_HEADER] == "default-src 'self'" + settings.CSP_POLICY_DEFINITIONS['default']['exclude_url_prefixes'] = () @override_settings(CSP_REPORT_ONLY=True) @@ -107,7 +111,7 @@ def test_use_complex_config(): assert response[REPORT_ONLY_HEADER] == 'img-src test.example.com' -def test_use_order(): +def test_use_select(): request = rf.get('/') response = HttpResponse() response._csp_config = { @@ -124,12 +128,12 @@ def test_use_order(): } response._csp_select = ('child', 'default', 'report_test') mw.process_response(request, response) - policy_list = sorted(response[HEADER].split('; ')) - assert policy_list == ["child-src child.example.com", "default-src 'self'"] + policies = sorted(response[HEADER].split(', ')) + assert policies == ["child-src child.example.com", "default-src 'self'"] assert response[REPORT_ONLY_HEADER] == 'img-src test.example.com' -def test_use_order_dne(): +def test_use_select_dne(): request = rf.get('/') response = HttpResponse() response._csp_select = ('does_not_exist',) @@ -259,9 +263,8 @@ def test_nonce_regenerated_on_new_request(): @override_settings( - CSP_POLICIES=("default", "report"), + CSP_INCLUDE_NONCE_IN=[], ) -@override_settings(CSP_INCLUDE_NONCE_IN=[]) def test_no_nonce_when_disabled_by_settings(): request = rf.get('/') mw.process_request(request) @@ -269,5 +272,3 @@ def test_no_nonce_when_disabled_by_settings(): response = HttpResponse() mw.process_response(request, response) assert nonce not in response[HEADER] - # Legacy settings only apply to default - assert nonce in response[REPORT_ONLY_HEADER] diff --git a/csp/tests/test_utils.py b/csp/tests/test_utils.py index 2521e13..3243e6b 100644 --- a/csp/tests/test_utils.py +++ b/csp/tests/test_utils.py @@ -20,11 +20,14 @@ def policy_eq( if not isinstance(a, list): b = [(b, report_only, exclude_url_prefixes)] - for csp_a, csp_b in zip(a, b): - assert csp_a[1] == csp_b[1] - assert sorted(csp_a[2]) == sorted(csp_b[2]) - parts_a = sorted(csp_a[0].split('; ')) - parts_b = sorted(csp_b[0].split('; ')) + for ( + (csp_a, report_only_a, exclude_prefixes_a), + (csp_b, report_only_b, exclude_prefixes_b), + ) in zip(a, b): + assert report_only_a == report_only_b + assert sorted(exclude_prefixes_a) == sorted(exclude_prefixes_b) + parts_a = sorted(csp_a.split('; ')) + parts_b = sorted(csp_b.split('; ')) assert parts_a == parts_b, msg % (a, b) @@ -301,11 +304,11 @@ def test_nonce_include_in(): "style-src 'nonce-abc123'"), policy) -@override_settings() +@override_settings(CSP_POLICIES=('report',)) def test_nonce_include_in_absent(): - del settings.CSP_INCLUDE_NONCE_IN + assert 'include_nonce_in' not in settings.CSP_POLICY_DEFINITIONS['report'] policy = build_policy(nonce='abc123') - policy_eq("default-src 'self' 'nonce-abc123'", policy) + policy_eq("default-src 'self' 'nonce-abc123'", policy, report_only=True) def test_policies_from_names_and_kwargs():