mozilla · robhudson · Sep 12, 2024 · Sep 11, 2024 · Sep 11, 2024 · stevejalim
diff --git a/csp/apps.py b/csp/apps.py
@@ -8,6 +8,4 @@ class CspConfig(AppConfig):
     name = "csp"
 
     def ready(self) -> None:
-        # Ignore known issue typeddjango/django-stubs #2232
-        # The overload of CheckRegistry.register as a function is incomplete
-        checks.register(check_django_csp_lt_4_0, checks.Tags.security)  # type: ignore
+        checks.register(check_django_csp_lt_4_0, checks.Tags.security)
diff --git a/csp/checks.py b/csp/checks.py
@@ -61,7 +61,7 @@ def migrate_settings() -> tuple[dict[str, Any], bool]:
 
     _REPORT_PERCENTAGE = getattr(settings, "CSP_REPORT_PERCENTAGE", None)
     if _REPORT_PERCENTAGE is not None:
-        config["REPORT_PERCENTAGE"] = round(_REPORT_PERCENTAGE * 100)
+        config["REPORT_PERCENTAGE"] = _REPORT_PERCENTAGE * 100
 
     include_nonce_in = getattr(settings, "CSP_INCLUDE_NONCE_IN", [])
 

diff --git a/csp/contrib/rate_limiting.py b/csp/contrib/rate_limiting.py
@@ -23,7 +23,8 @@ def get_policy_parts(self, request: HttpRequest, response: HttpResponseBase, rep
         if policy is None:
             return policy_parts
 
-        remove_report = random.randint(0, 99) >= policy.get("REPORT_PERCENTAGE", 100)
+        # `random.random` returns a value in the range [0.0, 1.0) so all values will be < 100.0.
-        # `random.random` returns a value in the range [0.0, 1.0) so all values will be < 100.0.
+        # `random.random` returns a value in the range [0.0, 1.0] so all values will be < 100.0.
-        # `random.random` returns a value in the range [0.0, 1.0) so all values will be < 100.0.
+        # `random.random` returns a value in the range [0.0, 1.0] so all values will be < 100.0.
+        remove_report = random.random() * 100 >= policy.get("REPORT_PERCENTAGE", 100)
         if remove_report:
             if policy_parts.replace is None:
                 policy_parts.replace = {

diff --git a/csp/tests/test_checks.py b/csp/tests/test_checks.py
@@ -13,7 +13,7 @@
 def test_migrate_settings() -> None:
     config, report_only = migrate_settings()
     assert config == {
-        "REPORT_PERCENTAGE": 25,
+        "REPORT_PERCENTAGE": 25.0,
         "EXCLUDE_URL_PREFIXES": ["/admin/"],
         "DIRECTIVES": {"default-src": ["'self'", "example.com"]},
     }

diff --git a/csp/tests/test_contrib.py b/csp/tests/test_contrib.py
@@ -25,6 +25,21 @@ def test_report_percentage() -> None:
     assert 400 <= times_seen <= 600
 
 
+@override_settings(CONTENT_SECURITY_POLICY={"REPORT_PERCENTAGE": 9.9, "DIRECTIVES": {"report-uri": "x"}})
+def test_report_percentage_float() -> None:
+    times_seen = 0
+    for _ in range(5000):
+        request = rf.get("/")
+        response = HttpResponse()
+        mw.process_response(request, response)
+        if "report-uri" in response[HEADER]:
+            times_seen += 1
+        if "report-to" in response[HEADER]:
+            times_seen += 1
+    # Roughly 10%
+    assert 400 <= times_seen <= 600
+
+
 @override_settings(CONTENT_SECURITY_POLICY={"REPORT_PERCENTAGE": 100, "DIRECTIVES": {"report-uri": "x"}})
 def test_report_percentage_100() -> None:
     times_seen = 0

diff --git a/docs/configuration.rst b/docs/configuration.rst
@@ -110,10 +110,9 @@ policy.
        on the same origin.
 
 ``REPORT_PERCENTAGE``
-    Percentage of requests that should see the ``report-uri`` directive.
-    Use this to throttle the number of CSP violation reports made to your
-    ``report-uri``. An **integer** between 0 and 100 (0 = no reports at all).
-    Ignored if ``report-uri`` isn't set.
+    Percentage of requests that should see the ``report-uri`` directive.  Use this to throttle the
+    number of CSP violation reports made to your ``report-uri``. A **float** between 0.0 and 100.0
+    (0.0 = no reports at all, 100.0 = always report).  Ignored if ``report-uri`` isn't set.
 
 ``DIRECTIVES``
     A dictionary of policy directives. Each key in the dictionary is a directive and the value is a

diff --git a/docs/migration-guide.rst b/docs/migration-guide.rst
@@ -130,14 +130,14 @@ The new settings would be:
 
 .. note::
 
-    If you were using the ``CSP_REPORT_PERCENTAGE`` setting, this should be updated to be an integer
-    percentage and not a decimal value in the new settings format. For example, if you had
-    ``CSP_REPORT_PERCENTAGE = 0.1``, this should be updated to:
+    If you were using the ``CSP_REPORT_PERCENTAGE`` setting, this should be updated to be a float
+    percentage between 0.0 and 100.0. For example, if you had ``CSP_REPORT_PERCENTAGE = 0.1``, this
+    should be updated to ``10.0`` to represent 10% of CSP errors will be reported:
 
     .. code-block:: python
 
         CONTENT_SECURITY_POLICY = {
-            "REPORT_PERCENTAGE": 10,
+            "REPORT_PERCENTAGE": 10.0,
             "DIRECTIVES": {
                 "report-uri": "/csp-report/",
                 # ...

diff --git a/docs/reports.rst b/docs/reports.rst
@@ -20,7 +20,7 @@ and set the ``REPORT_PERCENTAGE`` option:
 
 ``REPORT_PERCENTAGE``
     Percentage of requests that should see the ``report-uri`` directive.  Use this to throttle the
-    number of CSP violation reports made to your ``report-uri``. An **integer** between 0 and 100 (0
-    = no reports at all).  Ignored if ``report-uri`` isn't set.
+    number of CSP violation reports made to your ``report-uri``. A **float** between 0.0 and 100.0
+    (0.0 = no reports at all, 100.0 = always report).  Ignored if ``report-uri`` isn't set.
 
 .. _report: http://www.w3.org/TR/CSP/#sample-violation-report