Update rate limiting defaults and bring test coverage to 100%

mozilla · May 22, 2024 · 4cf1b7a · 4cf1b7a
1 parent 0531388
commit 4cf1b7a
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 2 deletions.
diff --git a/csp/contrib/rate_limiting.py b/csp/contrib/rate_limiting.py
@@ -16,7 +16,7 @@ def build_policy(self, request, response):
         replace = getattr(response, "_csp_replace", {})
         nonce = getattr(request, "_csp_nonce", None)
 
-        policy = getattr(settings, "CONTENT_SECURITY_POLICY", {})
+        policy = getattr(settings, "CONTENT_SECURITY_POLICY", None)
 
         if policy is None:
             return ""
@@ -34,7 +34,7 @@ def build_policy_ro(self, request, response):
         replace = getattr(response, "_csp_replace_ro", {})
         nonce = getattr(request, "_csp_nonce", None)
 
-        policy = getattr(settings, "CONTENT_SECURITY_POLICY_REPORT_ONLY", {})
+        policy = getattr(settings, "CONTENT_SECURITY_POLICY_REPORT_ONLY", None)
 
         if policy is None:
             return ""

diff --git a/csp/tests/test_contrib.py b/csp/tests/test_contrib.py
@@ -23,6 +23,19 @@ def test_report_percentage():
     assert 400 <= times_seen <= 600
 
 
+@override_settings(CONTENT_SECURITY_POLICY_REPORT_ONLY={"REPORT_PERCENTAGE": 10, "DIRECTIVES": {"report-uri": "x"}})
+def test_report_percentage_report_only():
+    times_seen = 0
+    for _ in range(5000):
+        request = rf.get("/")
+        response = HttpResponse()
+        mw.process_response(request, response)
+        if "report-uri" in response[HEADER_REPORT_ONLY]:
+            times_seen += 1
+    # Roughly 10%
+    assert 400 <= times_seen <= 600
+
+
 @override_settings(CONTENT_SECURITY_POLICY=None)
 def test_no_csp():
     request = rf.get("/")