dryan · September 13, 2023 14:40
diff --git a/middleware.py b/middleware.py
 import random
 import string
 import typing

 from django.conf import settings

 # if you have a Report-To service, add it to settings.py along with
 # adding ReportToMiddleware to settings.MIDDLEWARE


 class ReportToMiddleware:
    def __init__(self, get_response):
        self.get_response = get_response
        self.directive = getattr(settings, "REPORT_TO_DIRECTIVE", None)

    def __call__(self, request):
        response = self.get_response(request)
        if request.path.startswith(settings.STATIC_URL):
            return response
        if self.directive and not response.has_header("Report-To"):
            response["Report-To"] = self.directive
        return response


 # CSPSources is where you configure all your various source sections


 class CSPSources:
    DEFAULT = ["'self'"]
    STYLE = [
        "'self'",
        "https://cdn.jsdelivr.net",
        settings.STATIC_URL if settings.STATIC_URL.startswith("http") else None,
        # add more domains or sha hashes here
    ]
    SCRIPT = [
        "'self'",
        "https://cdn.jsdelivr.net",
        settings.STATIC_URL if settings.STATIC_URL.startswith("http") else None,
        # add more domains or sha hashes here
    ]
    FONT = [
        "'self'",
        settings.STATIC_URL if settings.STATIC_URL.startswith("http") else None,
        # add more domains or sha hashes here
    ]
    IMG = [
        "'self'",
        "https:",  # allow all secure images
        "data:",  # allow inline images
    ]
    # for iframes, uncomment the YouTube lines if you want to embed YouTube videos
    FRAME = [
        "'self'",
        # "https://www.youtube-nocookie.com",
        # "https://www.youtube.com",
        # "https://youtube.com",
        # add more domains or sha hashes here
    ]
    # for websockets. some analytics tools use these.
    # look for blocked domains in the web console and add them
    CONNECT = [
        "'self'",
    ]

    @classmethod
    def get_source_section(
        cls, section: str, *, nonce: typing.Optional[str] = None
    ) -> typing.Sequence[str]:
        sources = list(getattr(cls, section.upper(), []))
        if nonce and "'unsafe-inline'" not in sources:
            # it's an error to set nonce and unsafe-inline at the same time
            # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#Unsafe_inline_script
            sources.append(f"'nonce-{nonce}'")
        return [x for x in sources if x]

    @classmethod
    def get_csp_header(cls, *, nonce: typing.Optional[str] = None) -> str:
        sources = {
            "default-src": cls.get_source_section("default", nonce=nonce),
            "style-src": cls.get_source_section("style", nonce=nonce),
            "script-src": cls.get_source_section("script", nonce=nonce),
            "font-src": cls.get_source_section("font"),
            "img-src": cls.get_source_section("img"),
            "frame-src": cls.get_source_section("frame"),
            "connect-src": cls.get_source_section("connect"),
            "report-to": ["default"],
        }
        csp = [
            f"{key} {' '.join(sorted(values))}"
            for key, values in sorted(sources.items(), key=lambda x: x[0])
        ]
        return "; ".join(csp).replace(" ; ", "; ").replace("  ", " ")


 class ContentSecurityPolicyMiddleware:
    """
    This middleware adds a Content-Security-Policy header to most responses.

    It also replaces CSP_NONCE in the response body with a nonce value.

    By default, server errors are excluded from CSP _if_ DEBUG is True.

    Additionally, adding paths to settings.CSP_EXCLUDE_URL_PREFIXES will exclude
    those paths from CSP.
    """

    def __init__(self, get_reponse):
        self.get_response = get_reponse
        self.nonce = "".join(random.choices(string.ascii_letters + string.digits, k=32))

    def __call__(self, request):
        response = self.get_response(request)
        # this let's Django's error pages be styled during local development
        if settings.DEBUG and response.status_code in [500]:
            return response
        for prefix in list(getattr(settings, "CSP_EXCLUDE_URL_PREFIXES", [])) + [
            settings.STATIC_URL
        ]:
            if prefix and request.path.startswith(prefix):
                return response
        response["Content-Security-Policy"] = CSPSources.get_csp_header(
            nonce=self.nonce
        )
        if response.get("Content-Type", "").startswith("text/html") and getattr(
            response, "content", None
        ):
            response.content = response.content.replace(
                b"CSP_NONCE",
                self.nonce.encode("utf-8"),
            )
            if "Content-Length" in response:
                response["Content-Length"] = len(response.content)
        return response
diff --git a/test_middleware.py b/test_middleware.py
 import functools
 from unittest import TestCase

 from django.conf import settings
 from django.http import HttpRequest
 from django.test import override_settings
 from django.urls import reverse

 from .middleware import ContentSecurityPolicyMiddleware
 from .middleware import CSPSources
 from .middleware import ReportToMiddleware


 def get_response(request):
    class MockResponse(dict):
        def __init__(self, request):
            self.request = request

        def has_header(self, name):
            return name in self

    return MockResponse(request)


 def get_html_response(request, markup=""):
    response = get_response(request)
    response["Content-Type"] = "text/html"
    response.content = (
        f'<!DOCTYPE html><html><head><link href="https://example.com/test" '
        f'rel="shortlink"></head><body>{markup}</body></html>'
    ).encode()
    return response


 get_html_response_with_nonce = functools.partial(
    get_html_response, markup='<script nonce="CSP_NONCE">console.log("test");</script>'
 )

 TEST_REPORT_TO_DIRECTIVE = (
    '{"group":"default","max_age":31536000,'
    '"endpoints":[{"url":"https://example.com/"}],'
    '"include_subdomains":true}'
 )


 class ReportToMiddlewareTests(TestCase):
    @override_settings(REPORT_TO_DIRECTIVE=TEST_REPORT_TO_DIRECTIVE)
    def setUp(self):
        super().setUp()
        self.request = HttpRequest()
        self.request.method = "GET"
        self.request.path = reverse("home")
        self.middleware = ReportToMiddleware(get_response)

    def test_header_is_set(self):
        output = self.middleware(self.request)
        self.assertIn("Report-To", output)
        self.assertEqual(output.get("Report-To"), TEST_REPORT_TO_DIRECTIVE)

    def test_header_is_not_set_for_assets(self):
        self.request.path = settings.STATIC_URL
        output = self.middleware(self.request)
        self.assertNotIn("Report-To", output)


 class ContentSecurityPolicyMiddlewareTests(TestCase):
    maxDiff = None

    def setUp(self):
        super().setUp()
        self.request = HttpRequest()
        self.request.method = "GET"
        self.request.path = reverse("home")
        self.middleware = ContentSecurityPolicyMiddleware(get_response)

    def test_default_csp_header(self):
        self.middleware.nonce = "TEST_NONCE"
        output = self.middleware(self.request)
        self.assertIn("Content-Security-Policy", output)
        self.assertEqual(
            output["Content-Security-Policy"],
            CSPSources.get_csp_header(nonce=self.middleware.nonce),
        )

    @override_settings(STATIC_URL="/static/")
    def test_header_is_not_set_for_assets(self):
        self.request.path = "/static/test.js"
        output = self.middleware(self.request)
        self.assertNotIn("Content-Security-Policy", output)

    def test_csp_nonce_is_replaced(self):
        self.middleware = ContentSecurityPolicyMiddleware(get_html_response_with_nonce)
        self.middleware.nonce = "TEST_NONCE"
        output = self.middleware(self.request)
        self.assertIn(b'<script nonce="TEST_NONCE">', output.content)
	import random
	import string
	import typing

	from django.conf import settings

	# if you have a Report-To service, add it to settings.py along with
	# adding ReportToMiddleware to settings.MIDDLEWARE


	class ReportToMiddleware:
	def __init__(self, get_response):
	self.get_response = get_response
	self.directive = getattr(settings, "REPORT_TO_DIRECTIVE", None)

	def __call__(self, request):
	response = self.get_response(request)
	if request.path.startswith(settings.STATIC_URL):
	return response
	if self.directive and not response.has_header("Report-To"):
	response["Report-To"] = self.directive
	return response


	# CSPSources is where you configure all your various source sections


	class CSPSources:
	DEFAULT = ["'self'"]
	STYLE = [
	"'self'",
	"https://cdn.jsdelivr.net",
	settings.STATIC_URL if settings.STATIC_URL.startswith("http") else None,
	# add more domains or sha hashes here
	]
	SCRIPT = [
	"'self'",
	"https://cdn.jsdelivr.net",
	settings.STATIC_URL if settings.STATIC_URL.startswith("http") else None,
	# add more domains or sha hashes here
	]
	FONT = [
	"'self'",
	settings.STATIC_URL if settings.STATIC_URL.startswith("http") else None,
	# add more domains or sha hashes here
	]
	IMG = [
	"'self'",
	"https:", # allow all secure images
	"data:", # allow inline images
	]
	# for iframes, uncomment the YouTube lines if you want to embed YouTube videos
	FRAME = [
	"'self'",
	# "https://www.youtube-nocookie.com",
	# "https://www.youtube.com",
	# "https://youtube.com",
	# add more domains or sha hashes here
	]
	# for websockets. some analytics tools use these.
	# look for blocked domains in the web console and add them
	CONNECT = [
	"'self'",
	]

	@classmethod
	def get_source_section(
	cls, section: str, *, nonce: typing.Optional[str] = None
	) -> typing.Sequence[str]:
	sources = list(getattr(cls, section.upper(), []))
	if nonce and "'unsafe-inline'" not in sources:
	# it's an error to set nonce and unsafe-inline at the same time
	# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#Unsafe_inline_script
	sources.append(f"'nonce-{nonce}'")
	return [x for x in sources if x]

	@classmethod
	def get_csp_header(cls, *, nonce: typing.Optional[str] = None) -> str:
	sources = {
	"default-src": cls.get_source_section("default", nonce=nonce),
	"style-src": cls.get_source_section("style", nonce=nonce),
	"script-src": cls.get_source_section("script", nonce=nonce),
	"font-src": cls.get_source_section("font"),
	"img-src": cls.get_source_section("img"),
	"frame-src": cls.get_source_section("frame"),
	"connect-src": cls.get_source_section("connect"),
	"report-to": ["default"],
	}
	csp = [
	f"{key} {' '.join(sorted(values))}"
	for key, values in sorted(sources.items(), key=lambda x: x[0])
	]
	return "; ".join(csp).replace(" ; ", "; ").replace(" ", " ")


	class ContentSecurityPolicyMiddleware:
	"""
	This middleware adds a Content-Security-Policy header to most responses.

	It also replaces CSP_NONCE in the response body with a nonce value.

	By default, server errors are excluded from CSP _if_ DEBUG is True.

	Additionally, adding paths to settings.CSP_EXCLUDE_URL_PREFIXES will exclude
	those paths from CSP.
	"""

	def __init__(self, get_reponse):
	self.get_response = get_reponse
	self.nonce = "".join(random.choices(string.ascii_letters + string.digits, k=32))

	def __call__(self, request):
	response = self.get_response(request)
	# this let's Django's error pages be styled during local development
	if settings.DEBUG and response.status_code in [500]:
	return response
	for prefix in list(getattr(settings, "CSP_EXCLUDE_URL_PREFIXES", [])) + [
	settings.STATIC_URL
	]:
	if prefix and request.path.startswith(prefix):
	return response
	response["Content-Security-Policy"] = CSPSources.get_csp_header(
	nonce=self.nonce
	)
	if response.get("Content-Type", "").startswith("text/html") and getattr(
	response, "content", None
	):
	response.content = response.content.replace(
	b"CSP_NONCE",
	self.nonce.encode("utf-8"),
	)
	if "Content-Length" in response:
	response["Content-Length"] = len(response.content)
	return response
	import functools
	from unittest import TestCase

	from django.conf import settings
	from django.http import HttpRequest
	from django.test import override_settings
	from django.urls import reverse

	from .middleware import ContentSecurityPolicyMiddleware
	from .middleware import CSPSources
	from .middleware import ReportToMiddleware


	def get_response(request):
	class MockResponse(dict):
	def __init__(self, request):
	self.request = request

	def has_header(self, name):
	return name in self

	return MockResponse(request)


	def get_html_response(request, markup=""):
	response = get_response(request)
	response["Content-Type"] = "text/html"
	response.content = (
	f'<!DOCTYPE html><html><head><link href="https://example.com/test" '
	f'rel="shortlink"></head><body>{markup}</body></html>'
	).encode()
	return response


	get_html_response_with_nonce = functools.partial(
	get_html_response, markup='<script nonce="CSP_NONCE">console.log("test");</script>'
	)

	TEST_REPORT_TO_DIRECTIVE = (
	'{"group":"default","max_age":31536000,'
	'"endpoints":[{"url":"https://example.com/"}],'
	'"include_subdomains":true}'
	)


	class ReportToMiddlewareTests(TestCase):
	@override_settings(REPORT_TO_DIRECTIVE=TEST_REPORT_TO_DIRECTIVE)
	def setUp(self):
	super().setUp()
	self.request = HttpRequest()
	self.request.method = "GET"
	self.request.path = reverse("home")
	self.middleware = ReportToMiddleware(get_response)

	def test_header_is_set(self):
	output = self.middleware(self.request)
	self.assertIn("Report-To", output)
	self.assertEqual(output.get("Report-To"), TEST_REPORT_TO_DIRECTIVE)

	def test_header_is_not_set_for_assets(self):
	self.request.path = settings.STATIC_URL
	output = self.middleware(self.request)
	self.assertNotIn("Report-To", output)


	class ContentSecurityPolicyMiddlewareTests(TestCase):
	maxDiff = None

	def setUp(self):
	super().setUp()
	self.request = HttpRequest()
	self.request.method = "GET"
	self.request.path = reverse("home")
	self.middleware = ContentSecurityPolicyMiddleware(get_response)

	def test_default_csp_header(self):
	self.middleware.nonce = "TEST_NONCE"
	output = self.middleware(self.request)
	self.assertIn("Content-Security-Policy", output)
	self.assertEqual(
	output["Content-Security-Policy"],
	CSPSources.get_csp_header(nonce=self.middleware.nonce),
	)

	@override_settings(STATIC_URL="/static/")
	def test_header_is_not_set_for_assets(self):
	self.request.path = "/static/test.js"
	output = self.middleware(self.request)
	self.assertNotIn("Content-Security-Policy", output)

	def test_csp_nonce_is_replaced(self):
	self.middleware = ContentSecurityPolicyMiddleware(get_html_response_with_nonce)
	self.middleware.nonce = "TEST_NONCE"
	output = self.middleware(self.request)
	self.assertIn(b'<script nonce="TEST_NONCE">', output.content)