Possible to override CSP_INCLUDE_NONCE_IN per-view with a decorator? #139
Comments
|
Hey @fallen,
This is interesting.
No this isn't possible, since If it's OK to remove the nonce from all the directives, you could use a decorator like: def csp_remove_nonces(f):
@wraps(f)
def _wrapped(*a, **kw):
r = f(*a, **kw)
r._csp_nonce = None
return r
return _wrappedthen since build_policy in utils strips the nonce sources when nonce is commit 4e29019150c71a2d9938b610afcae5ec88a9046e
Author: Greg Guthe <[email protected]>
Date: Mon Jan 6 01:40:05 2020 -0500
add csp_remove_nonces decorator (needs docs)
diff --git a/csp/decorators.py b/csp/decorators.py
index bce3352..69e1fab 100644
--- a/csp/decorators.py
+++ b/csp/decorators.py
@@ -10,6 +10,15 @@ def csp_exempt(f):
return _wrapped
+def csp_remove_nonces(f):
+ @wraps(f)
+ def _wrapped(*a, **kw):
+ r = f(*a, **kw)
+ r._csp_nonce = None
+ return r
+ return _wrapped
+
+
def csp_update(**kwargs):
update = dict((k.lower().replace('_', '-'), v) for k, v in kwargs.items())
diff --git a/csp/tests/test_decorators.py b/csp/tests/test_decorators.py
index 6f2716e..0d377d8 100644
--- a/csp/tests/test_decorators.py
+++ b/csp/tests/test_decorators.py
@@ -2,7 +2,7 @@ from django.http import HttpResponse
from django.test import RequestFactory
from django.test.utils import override_settings
-from csp.decorators import csp, csp_replace, csp_update, csp_exempt
+from csp.decorators import csp, csp_replace, csp_update, csp_exempt, csp_remove_nonces
from csp.middleware import CSPMiddleware
@@ -98,6 +98,29 @@ def test_csp():
assert policy_list == ["default-src 'self'"]
+@override_settings(CSP_INCLUDE_NONCE_IN=["default-src"])
+def test_csp_remove_nonces():
+ # get a new REQUEST so we can modify ._csp_nonce without affecting other
+ # tests
+ request = RequestFactory().get('/')
+ request._csp_nonce = 'test-nonce'
+
+ def view_without_decorator(request):
+ return HttpResponse()
+ response = view_without_decorator(request)
+ mw.process_response(request, response)
+ policy_list = sorted(response["Content-Security-Policy"].split("; "))
+ assert policy_list == ["default-src 'self' 'nonce-test-nonce'"]
+
+ @csp_remove_nonces
+ def view_with_decorator(request):
+ return HttpResponse()
+ response = view_with_decorator(request)
+ mw.process_response(request, response)
+ policy_list = sorted(response["Content-Security-Policy"].split("; "))
+ assert policy_list == ["default-src 'self' 'nonce-test-nonce'"]
+
+
def test_csp_string_values():
# Test backwards compatibility where values were strings
@csp(IMG_SRC='foo.com', FONT_SRC='bar.com') |
|
FYI: this will be fixed in #36 |
Awesome, that's very good news! |
|
Haven't done up the docs yet, but will hopefully get them done along with some more extensive unit tests this week. In the single policy case, it will work just as you requested in the OP. In the multi-policy case, it can be overridden per policy, by passing 'include_nonce_in' in the policy dictionary ('report_only' works similarly). :) If all goes smoothly, I'm hoping we can get this merged and a release cut within a couple weeks. |
This comment was marked as spam.
This comment was marked as spam.
|
This will be possible in the upcoming release, currently under review in #219. The |
Very good news! Thanks a lot :) |
This is a backwards incompatible change. Also fixes mozilla#139, mozilla#191
This is a backwards incompatible change. Also fixes mozilla#139, mozilla#191
It would be nice to be able to use
@csp_replaceand@csp_updateonCSP_INCLUDE_NONCE_IN.Also, even
@cspwhich is supposed to override everything, does not override the nonce generation.Why?
Because some browsers like Chromium do not respect the
style-src: 'unsafe-inline'if a nonce is given.So if you generate a nonce with
CSP_INCLUDE_NONCE_IN, for your entire project, but you want for some precise view to use'unsafe-inline', you need to also have a mean to disable the nonce. Or else the browser will just ignore the'unsafe-inline'.The text was updated successfully, but these errors were encountered: