Skip to content

Refactor on csp_nonce usage with django-csp #2088

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Mar 19, 2025
Merged

Refactor on csp_nonce usage with django-csp #2088

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
89b51bf
Rely on django-csp's private attribute for nonce
tim-schilling Feb 26, 2025
c1bd360
Add csp to our words list.
tim-schilling Feb 26, 2025
aa229c0
Switch from list comprehension copy to explict copy
tim-schilling Feb 27, 2025
43ec028
Consolidate csp_nonce usages to a single property on the toolbar. (#2…
tim-schilling Mar 14, 2025
f0b2f61
Merge branch 'main' into django-csp-4.0
tim-schilling Mar 14, 2025
98678de
Update csp_nonce docstring
tim-schilling Mar 17, 2025
18c53ba
Merge branch 'main' into django-csp-4.0
tim-schilling Mar 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions debug_toolbar/templates/debug_toolbar/base.html
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
{% load i18n static %}
{% block css %}
<link{% if toolbar.request.csp_nonce %} nonce="{{ toolbar.request.csp_nonce }}"{% endif %} rel="stylesheet" href="{% static 'debug_toolbar/css/print.css' %}" media="print">
<link{% if toolbar.request.csp_nonce %} nonce="{{ toolbar.request.csp_nonce }}"{% endif %} rel="stylesheet" href="{% static 'debug_toolbar/css/toolbar.css' %}">
<link{% if toolbar.csp_nonce %} nonce="{{ toolbar.csp_nonce }}"{% endif %} rel="stylesheet" href="{% static 'debug_toolbar/css/print.css' %}" media="print">
<link{% if toolbar.csp_nonce %} nonce="{{ toolbar.csp_nonce }}"{% endif %} rel="stylesheet" href="{% static 'debug_toolbar/css/toolbar.css' %}">
{% endblock %}
{% block js %}
<script{% if toolbar.request.csp_nonce %} nonce="{{ toolbar.request.csp_nonce }}"{% endif %} type="module" src="{% static 'debug_toolbar/js/toolbar.js' %}" async></script>
<script{% if toolbar.csp_nonce %} nonce="{{ toolbar.csp_nonce }}"{% endif %} type="module" src="{% static 'debug_toolbar/js/toolbar.js' %}" async></script>
{% endblock %}
<div id="djDebug" class="djdt-hidden" dir="ltr"
{% if not toolbar.should_render_panels %}
Expand Down
2 changes: 1 addition & 1 deletion debug_toolbar/templates/debug_toolbar/includes/panel_content.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ <h3>{{ panel.title }}</h3>
</div>
<div class="djDebugPanelContent">
{% if toolbar.should_render_panels %}
{% for script in panel.scripts %}<script{% if toolbar.request.csp_nonce %} nonce="{{ toolbar.request.csp_nonce }}"{% endif %} type="module" src="{{ script }}" async></script>{% endfor %}
{% for script in panel.scripts %}<script{% if toolbar.csp_nonce %} nonce="{{ toolbar.csp_nonce }}"{% endif %} type="module" src="{{ script }}" async></script>{% endfor %}
<div class="djdt-scroll">{{ panel.content }}</div>
{% else %}
<div class="djdt-loader"></div>
Expand Down
2 changes: 1 addition & 1 deletion debug_toolbar/templates/debug_toolbar/redirect.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
<html lang="en">
<head>
<title>Django Debug Toolbar Redirects Panel: {{ status_line }}</title>
<script{% if toolbar.request.csp_nonce %} nonce="{{ toolbar.request.csp_nonce }}"{% endif %} type="module" src="{% static 'debug_toolbar/js/redirect.js' %}" async></script>
<script{% if toolbar.csp_nonce %} nonce="{{ toolbar.csp_nonce }}"{% endif %} type="module" src="{% static 'debug_toolbar/js/redirect.js' %}" async></script>
</head>
<body>
<h1>{{ status_line }}</h1>
Expand Down
10 changes: 10 additions & 0 deletions debug_toolbar/toolbar.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,16 @@ def enabled_panels(self):
"""
return [panel for panel in self._panels.values() if panel.enabled]

@property
def csp_nonce(self):
"""
Look up the Content Security Policy nonce if there is one.

This is built specifically for django-csp, which may not always
have a nonce associated with the request.
"""
return getattr(self.request, "csp_nonce", None)

def get_panel_by_id(self, panel_id):
"""
Get the panel with the given id, which is the class name by default.
Expand Down
2 changes: 2 additions & 0 deletions docs/changes.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ Pending
* Avoided a "forked" Promise chain in the rebound ``window.fetch`` function
with missing exception handling.
* Fixed the pygments code highlighting when using dark mode.
* Fix for exception-unhandled "forked" Promise chain in rebound window.fetch
* Create a CSP nonce property on the toolbar ``Toolbar().csp_nonce``.

5.0.1 (2025-01-13)
------------------
Expand Down
1 change: 1 addition & 0 deletions docs/spelling_wordlist.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ backported
biome
checkbox
contrib
csp
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need this?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I think my note in the changelog triggered it as a word despite being django-csp

dicts
django
fallbacks
Expand Down
144 changes: 89 additions & 55 deletions tests/test_csp_rendering.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,13 @@

from .base import IntegrationTestCase

MIDDLEWARE_CSP_BEFORE = settings.MIDDLEWARE.copy()
MIDDLEWARE_CSP_BEFORE.insert(
MIDDLEWARE_CSP_BEFORE.index("debug_toolbar.middleware.DebugToolbarMiddleware"),
"csp.middleware.CSPMiddleware",
)
MIDDLEWARE_CSP_LAST = settings.MIDDLEWARE + ["csp.middleware.CSPMiddleware"]


def get_namespaces(element: Element) -> dict[str, str]:
"""
Expand Down Expand Up @@ -63,70 +70,97 @@ def _fail_on_invalid_html(self, content: bytes, parser: HTMLParser):
msg = self._formatMessage(None, "\n".join(default_msg))
raise self.failureException(msg)

@override_settings(
MIDDLEWARE=settings.MIDDLEWARE + ["csp.middleware.CSPMiddleware"]
)
def test_exists(self):
"""A `nonce` should exist when using the `CSPMiddleware`."""
response = cast(HttpResponse, self.client.get(path="/regular/basic/"))
self.assertEqual(response.status_code, 200)

html_root: Element = self.parser.parse(stream=response.content)
self._fail_on_invalid_html(content=response.content, parser=self.parser)
self.assertContains(response, "djDebug")

namespaces = get_namespaces(element=html_root)
toolbar = list(DebugToolbar._store.values())[0]
nonce = str(toolbar.request.csp_nonce)
self._fail_if_missing(
root=html_root, path=".//link", namespaces=namespaces, nonce=nonce
)
self._fail_if_missing(
root=html_root, path=".//script", namespaces=namespaces, nonce=nonce
)
for middleware in [MIDDLEWARE_CSP_BEFORE, MIDDLEWARE_CSP_LAST]:
with self.settings(MIDDLEWARE=middleware):
response = cast(HttpResponse, self.client.get(path="/csp_view/"))
self.assertEqual(response.status_code, 200)

html_root: Element = self.parser.parse(stream=response.content)
self._fail_on_invalid_html(content=response.content, parser=self.parser)
self.assertContains(response, "djDebug")

namespaces = get_namespaces(element=html_root)
toolbar = list(DebugToolbar._store.values())[-1]
nonce = str(toolbar.csp_nonce)
self._fail_if_missing(
root=html_root, path=".//link", namespaces=namespaces, nonce=nonce
)
self._fail_if_missing(
root=html_root, path=".//script", namespaces=namespaces, nonce=nonce
)

def test_does_not_exist_nonce_wasnt_used(self):
"""
A `nonce` should not exist even when using the `CSPMiddleware`
if the view didn't access the request.csp_nonce attribute.
"""
for middleware in [MIDDLEWARE_CSP_BEFORE, MIDDLEWARE_CSP_LAST]:
with self.settings(MIDDLEWARE=middleware):
response = cast(HttpResponse, self.client.get(path="/regular/basic/"))
self.assertEqual(response.status_code, 200)

html_root: Element = self.parser.parse(stream=response.content)
self._fail_on_invalid_html(content=response.content, parser=self.parser)
self.assertContains(response, "djDebug")

namespaces = get_namespaces(element=html_root)
self._fail_if_found(
root=html_root, path=".//link", namespaces=namespaces
)
self._fail_if_found(
root=html_root, path=".//script", namespaces=namespaces
)

@override_settings(
DEBUG_TOOLBAR_CONFIG={"DISABLE_PANELS": set()},
MIDDLEWARE=settings.MIDDLEWARE + ["csp.middleware.CSPMiddleware"],
)
def test_redirects_exists(self):
response = cast(HttpResponse, self.client.get(path="/regular/basic/"))
self.assertEqual(response.status_code, 200)
for middleware in [MIDDLEWARE_CSP_BEFORE, MIDDLEWARE_CSP_LAST]:
with self.settings(MIDDLEWARE=middleware):
response = cast(HttpResponse, self.client.get(path="/csp_view/"))
self.assertEqual(response.status_code, 200)

html_root: Element = self.parser.parse(stream=response.content)
self._fail_on_invalid_html(content=response.content, parser=self.parser)
self.assertContains(response, "djDebug")

namespaces = get_namespaces(element=html_root)
context: ContextList = response.context # pyright: ignore[reportAttributeAccessIssue]
nonce = str(context["toolbar"].csp_nonce)
self._fail_if_missing(
root=html_root, path=".//link", namespaces=namespaces, nonce=nonce
)
self._fail_if_missing(
root=html_root, path=".//script", namespaces=namespaces, nonce=nonce
)

html_root: Element = self.parser.parse(stream=response.content)
self._fail_on_invalid_html(content=response.content, parser=self.parser)
self.assertContains(response, "djDebug")

namespaces = get_namespaces(element=html_root)
context: ContextList = response.context # pyright: ignore[reportAttributeAccessIssue]
nonce = str(context["toolbar"].request.csp_nonce)
self._fail_if_missing(
root=html_root, path=".//link", namespaces=namespaces, nonce=nonce
)
self._fail_if_missing(
root=html_root, path=".//script", namespaces=namespaces, nonce=nonce
)

@override_settings(
MIDDLEWARE=settings.MIDDLEWARE + ["csp.middleware.CSPMiddleware"]
)
def test_panel_content_nonce_exists(self):
response = cast(HttpResponse, self.client.get(path="/regular/basic/"))
self.assertEqual(response.status_code, 200)

toolbar = list(DebugToolbar._store.values())[0]
panels_to_check = ["HistoryPanel", "TimerPanel"]
for panel in panels_to_check:
content = toolbar.get_panel_by_id(panel).content
html_root: Element = self.parser.parse(stream=content)
namespaces = get_namespaces(element=html_root)
nonce = str(toolbar.request.csp_nonce)
self._fail_if_missing(
root=html_root, path=".//link", namespaces=namespaces, nonce=nonce
)
self._fail_if_missing(
root=html_root, path=".//script", namespaces=namespaces, nonce=nonce
)
for middleware in [MIDDLEWARE_CSP_BEFORE, MIDDLEWARE_CSP_LAST]:
with self.settings(MIDDLEWARE=middleware):
response = cast(HttpResponse, self.client.get(path="/csp_view/"))
self.assertEqual(response.status_code, 200)

toolbar = list(DebugToolbar._store.values())[-1]
panels_to_check = ["HistoryPanel", "TimerPanel"]
for panel in panels_to_check:
content = toolbar.get_panel_by_id(panel).content
html_root: Element = self.parser.parse(stream=content)
namespaces = get_namespaces(element=html_root)
nonce = str(toolbar.csp_nonce)
self._fail_if_missing(
root=html_root,
path=".//link",
namespaces=namespaces,
nonce=nonce,
)
self._fail_if_missing(
root=html_root,
path=".//script",
namespaces=namespaces,
nonce=nonce,
)

def test_missing(self):
"""A `nonce` should not exist when not using the `CSPMiddleware`."""
Expand Down
1 change: 1 addition & 0 deletions tests/urls.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@
path("redirect/", views.redirect_view),
path("ajax/", views.ajax_view),
path("login_without_redirect/", LoginView.as_view(redirect_field_name=None)),
path("csp_view/", views.csp_view),
path("admin/", admin.site.urls),
path("__debug__/", include("debug_toolbar.urls")),
]
5 changes: 5 additions & 0 deletions tests/views.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,11 @@ def regular_view(request, title):
return render(request, "basic.html", {"title": title})


def csp_view(request):
"""Use request.csp_nonce to inject it into the headers"""
return render(request, "basic.html", {"title": f"CSP {request.csp_nonce}"})
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The nonce needed to be rendered in the view. I chose to do it here.



def template_response_view(request, title):
return TemplateResponse(request, "basic.html", {"title": title})

Expand Down
2 changes: 1 addition & 1 deletion tox.ini
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ deps =
pygments
selenium>=4.8.0
sqlparse
django-csp<4
django-csp
passenv=
CI
COVERAGE_ARGS
Expand Down