Restructure CSP Configuration with Streamlined Settings (backwards incompatible) #219
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
robhudson
force-pushed
the
two-dict-based-settings
branch
from
d88f009
to
77ab5f0
Compare
This was referenced May 2, 2024
stevejalim
reviewed
May 7, 2024
| By following this migration guide, you should be able to successfully update your Django project to | ||
| use the new dict-based CSP settings format introduced in the latest version of `django-csp`. This | ||
| change aligns the package with the latest CSP specification and provides a more organized and | ||
| flexible way to configure your Content Security Policy. |
robhudson
force-pushed
the
two-dict-based-settings
branch
from
1da985f
to
b09c116
Compare
willkg
reviewed
May 16, 2024
| 'upgrade-insecure-requests': True, | ||
| 'report-uri': "/csp-report/", | ||
| } | ||
| } |
There was a problem hiding this comment.
I <3 this soooo much more than django-csp 3 configuration.
diox
reviewed
May 17, 2024
janbrasna
reviewed
May 25, 2024
robhudson
force-pushed
the
two-dict-based-settings
branch
2 times, most recently
from
d2cd3e2
to
4c12388
Compare
|
Does anyone also feel like we shouldn't have a top level I'm considering changing the import path since we're breaking backwards compatibility anyway but wanted to try to get a poll:
|
robhudson
force-pushed
the
two-dict-based-settings
branch
from
4c12388
to
bb97109
Compare
robhudson
force-pushed
the
two-dict-based-settings
branch
from
bb97109
to
93f1eb3
Compare
stevejalim
reviewed
Jun 6, 2024
| warning = ( | ||
| "You are using django-csp < 4.0 settings. Please update your settings to use the new format.\n" | ||
| "See https://django-csp.readthedocs.io/en/latest/migration-guide.html for more information.\n\n" | ||
| "We have attempted to build the new CSP config for you based on your current settings:\n\n" |
stevejalim
approved these changes
Jun 6, 2024
robhudson
force-pushed
the
two-dict-based-settings
branch
from
93f1eb3
to
bbfc8bb
Compare
This is a backwards incompatible change. Also fixes mozilla#139, mozilla#191
robhudson
force-pushed
the
two-dict-based-settings
branch
from
bbfc8bb
to
039f699
Compare
This was referenced Jun 6, 2024
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR introduces a significant update to the django-csp project, focusing on enhancing the coherence between configuration and headers, and aligning with Django's common practices for settings. The CSP settings have been restructured, consolidating them into two primary options for enforced and report-only policies.
Key Changes:
CONTENT_SECURITY_POLICY: settings for the enforced policy.CONTENT_SECURITY_POLICY_REPORT_ONLY: settings for the report-only policy.This is a backwards-incompatible change.
While this change may require refactoring for existing users...
Feedback and Contributions
We invite our community members to test and provide feedback on the updated settings structure. Your input will help refine django-csp and ensure its compatibility with Django best practices. Documentation enhancements or suggestions are greatly appreciated.