From 688dddc53349d3ee711d0e8bd746e0ed46a87444 Mon Sep 17 00:00:00 2001
From: Rob Hudson <robhudson@mozilla.com>
Date: Mon, 15 Jul 2024 16:34:21 -0700
Subject: [PATCH] Reorganize settings if report-only CSP doesn't exist

---
 bedrock/settings/__init__.py | 37 ++++++++++++++++++------------------
 1 file changed, 19 insertions(+), 18 deletions(-)

diff --git a/bedrock/settings/__init__.py b/bedrock/settings/__init__.py
index faf55961b1b..071db29a20f 100644
--- a/bedrock/settings/__init__.py
+++ b/bedrock/settings/__init__.py
@@ -262,16 +262,6 @@
     },
 }
 
-# Start report-only CSP as a copy. We'll modify it later if needed.
-# Only set up report-only CSP if we have a report-uri set.
-if csp_report_uri := config("CSP_REPORT_URI", default="") or None:
-    CONTENT_SECURITY_POLICY_REPORT_ONLY = deepcopy(CONTENT_SECURITY_POLICY)
-    CONTENT_SECURITY_POLICY_REPORT_ONLY["REPORT_PERCENTAGE"] = config("CSP_REPORT_PERCENTAGE", default="100", parser=int)
-    CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["report-uri"] = csp_report_uri
-    # Remove `UNSAGE_INLINE` and `UNSAGE_EVAL` from `script-src`.
-    _csp_ro_script_src = [src for src in _csp_script_src if src not in [UNSAFE_INLINE, UNSAFE_EVAL]]
-    CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["script-src"] = list(set(_csp_default_src + _csp_ro_script_src))
-
 # Mainly for overriding CSP settings for CMS admin.
 # Works in conjunction with the `bedrock.base.middleware.CSPMiddlewareByPathPrefix` middleware.
 
@@ -285,15 +275,26 @@
     "/cms-admin/images/": CMS_ADMIN_IMAGES_CSP,
 }
 
-CMS_ADMIN_CSP_RO = deepcopy(CONTENT_SECURITY_POLICY_REPORT_ONLY)
-CMS_ADMIN_CSP_RO["DIRECTIVES"]["script-src"] += [UNSAFE_INLINE]
-CMS_ADMIN_IMAGES_CSP_RO = deepcopy(CONTENT_SECURITY_POLICY_REPORT_ONLY)
-CMS_ADMIN_IMAGES_CSP_RO["DIRECTIVES"]["img-src"] += ["blob:"]
+# Start report-only CSP as a copy. We'll modify it later if needed.
+# Only set up report-only CSP if we have a report-uri set.
+if csp_report_uri := config("CSP_REPORT_URI", default="") or None:
+    CONTENT_SECURITY_POLICY_REPORT_ONLY = deepcopy(CONTENT_SECURITY_POLICY)
+    CONTENT_SECURITY_POLICY_REPORT_ONLY["REPORT_PERCENTAGE"] = config("CSP_REPORT_PERCENTAGE", default="100", parser=int)
+    CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["report-uri"] = csp_report_uri
+    # Remove `UNSAGE_INLINE` and `UNSAGE_EVAL` from `script-src`.
+    _csp_ro_script_src = [src for src in _csp_script_src if src not in [UNSAFE_INLINE, UNSAFE_EVAL]]
+    CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["script-src"] = list(set(_csp_default_src + _csp_ro_script_src))
 
-CSP_PATH_OVERRIDES_REPORT_ONLY = {
-    "/cms-admin/images/": CMS_ADMIN_IMAGES_CSP,
-    "/cms-admin/": CMS_ADMIN_CSP_RO,
-}
+    # For overriding CSP report-only settings for CMS admin.
+    CMS_ADMIN_CSP_RO = deepcopy(CONTENT_SECURITY_POLICY_REPORT_ONLY)
+    CMS_ADMIN_CSP_RO["DIRECTIVES"]["script-src"] += [UNSAFE_INLINE]
+    CMS_ADMIN_IMAGES_CSP_RO = deepcopy(CONTENT_SECURITY_POLICY_REPORT_ONLY)
+    CMS_ADMIN_IMAGES_CSP_RO["DIRECTIVES"]["img-src"] += ["blob:"]
+
+    CSP_PATH_OVERRIDES_REPORT_ONLY = {
+        "/cms-admin/images/": CMS_ADMIN_IMAGES_CSP,
+        "/cms-admin/": CMS_ADMIN_CSP_RO,
+    }
 
 
 # 4. SETTINGS WHICH APPLY REGARDLESS OF SITE MODE