From 90d94084f6e5845ed402f0ece27eba2ad201b5ba Mon Sep 17 00:00:00 2001 From: Rob Hudson Date: Thu, 2 May 2024 09:07:05 -0700 Subject: [PATCH] Add constants for CSP keywords This helps avoid potential errors introduced by incorrectly quoting CSP keywords. --- csp/constants.py | 10 ++++++++++ csp/tests/test_middleware.py | 6 +++--- csp/tests/test_utils.py | 3 ++- csp/utils.py | 3 ++- docs/configuration.rst | 13 ++++++++----- docs/decorators.rst | 9 +++++---- 6 files changed, 30 insertions(+), 14 deletions(-) diff --git a/csp/constants.py b/csp/constants.py index 8cf10bc..95242c3 100644 --- a/csp/constants.py +++ b/csp/constants.py @@ -1,2 +1,12 @@ HEADER = "Content-Security-Policy" HEADER_REPORT_ONLY = "Content-Security-Policy-Report-Only" + +NONE = "'none'" +REPORT_SAMPLE = "'report-sample'" +SELF = "'self'" +STRICT_DYNAMIC = "'strict-dynamic'" +UNSAFE_ALLOW_REDIRECTS = "'unsafe-allow-redirects'" +UNSAFE_EVAL = "'unsafe-eval'" +UNSAFE_HASHES = "'unsafe-hashes'" +UNSAFE_INLINE = "'unsafe-inline'" +WASM_UNSAFE_EVAL = "'wasm-unsafe-eval'" diff --git a/csp/tests/test_middleware.py b/csp/tests/test_middleware.py index e52971a..90a524a 100644 --- a/csp/tests/test_middleware.py +++ b/csp/tests/test_middleware.py @@ -6,7 +6,7 @@ from django.test import RequestFactory from django.test.utils import override_settings -from csp.constants import HEADER, HEADER_REPORT_ONLY +from csp.constants import HEADER, HEADER_REPORT_ONLY, SELF from csp.middleware import CSPMiddleware from csp.tests.utils import response @@ -23,7 +23,7 @@ def test_add_header(): @override_settings( CONTENT_SECURITY_POLICY={"DIRECTIVES": {"default-src": ["example.com"]}}, - CONTENT_SECURITY_POLICY_REPORT_ONLY={"DIRECTIVES": {"default-src": ["'self'"]}}, + CONTENT_SECURITY_POLICY_REPORT_ONLY={"DIRECTIVES": {"default-src": [SELF]}}, ) def test_both_headers(): request = rf.get("/") @@ -51,7 +51,7 @@ def text_exclude(): @override_settings( CONTENT_SECURITY_POLICY=None, - CONTENT_SECURITY_POLICY_REPORT_ONLY={"DIRECTIVES": {"default-src": ["'self'"]}}, + CONTENT_SECURITY_POLICY_REPORT_ONLY={"DIRECTIVES": {"default-src": [SELF]}}, ) def test_report_only(): request = rf.get("/") diff --git a/csp/tests/test_utils.py b/csp/tests/test_utils.py index 188fa3b..041659c 100644 --- a/csp/tests/test_utils.py +++ b/csp/tests/test_utils.py @@ -1,6 +1,7 @@ from django.test.utils import override_settings from django.utils.functional import lazy +from csp.constants import NONE, SELF from csp.utils import build_policy, default_config, DEFAULT_DIRECTIVES @@ -182,7 +183,7 @@ def test_replace_missing_setting(): def test_config(): - policy = build_policy(config={"default-src": ["'none'"], "img-src": ["'self'"]}) + policy = build_policy(config={"default-src": [NONE], "img-src": [SELF]}) policy_eq("default-src 'none'; img-src 'self'", policy) diff --git a/csp/utils.py b/csp/utils.py index cf62ee1..cc645bb 100644 --- a/csp/utils.py +++ b/csp/utils.py @@ -6,12 +6,13 @@ from django.conf import settings from django.utils.encoding import force_str +from csp.constants import SELF DEFAULT_DIRECTIVES = { # Fetch Directives "child-src": None, "connect-src": None, - "default-src": ["'self'"], + "default-src": [SELF], "script-src": None, "script-src-attr": None, "script-src-elem": None, diff --git a/docs/configuration.rst b/docs/configuration.rst index 834b417..7e87e7d 100644 --- a/docs/configuration.rst +++ b/docs/configuration.rst @@ -43,12 +43,14 @@ a more slightly strict policy and is used to test the policy without breaking th .. code-block:: python + from csp.constants import NONE, SELF + CONTENT_SECURITY_POLICY = { "EXCLUDE_URL_PREFIXES": ["/excluded-path/"], "DIRECTIVES": { - "default-src": ["'self'", "cdn.example.net"], - "frame-ancestors": ["'self'"], - "form-action": ["'self'"], + "default-src": [SELF, "cdn.example.net"], + "frame-ancestors": [SELF], + "form-action": [SELF], "report-uri": "/csp-report/", }, } @@ -101,8 +103,9 @@ policy. .. note:: The "special" source values of ``'self'``, ``'unsafe-inline'``, ``'unsafe-eval'``, - ``'none'`` and hash-source (``'sha256-...'``) must be quoted! - e.g.: ``"default-src": ["'self'"]``. Without quotes they will not work as intended. + ``'strict-dynamic'``, ``'none'``, etc. must be quoted! e.g.: ``"default-src": ["'self'"]``. + Without quotes they will not work as intended. Use the ``csp.constants`` module to get these + values, e.g., ``from csp.constants import SELF``. .. note:: Deprecated features of CSP in general have been moved to the bottom of this list. diff --git a/docs/decorators.rst b/docs/decorators.rst index 6c36378..d35b7d4 100644 --- a/docs/decorators.rst +++ b/docs/decorators.rst @@ -99,18 +99,19 @@ If you need to set the entire policy on a view, ignoring all the settings, you c decorator. This, and the other decorators, can be stacked to update both policies if both are in use, as shown below. The arguments and values are as above:: + from csp.constants import SELF, UNSAFE_INLINE from csp.decorators import csp @csp({ - "default_src": ["'self'"], + "default_src": [SELF], "img-src": ["imgsrv.com"], - "script-src": ["scriptsrv.com", "googleanalytics.com", "'unsafe-inline'"]} + "script-src": ["scriptsrv.com", "googleanalytics.com", UNSAFE_INLINE]} }) @csp({ - "default_src": ["'self'"], + "default_src": [SELF], "img-src": ["imgsrv.com"], "script-src": ["scriptsrv.com", "googleanalytics.com"]}, - "frame-src": ["'self'"], + "frame-src": [SELF], REPORT_ONLY=True }) def myview(request):