Refactor on csp_nonce usage with django-csp #2088
Conversation
This refactors how the CSP nonce is fetched. It's now done as a toolbar property and wraps the private attribute request._csp_nonce This avoids the toolbar from generating a nonce that gets injected into the CSP header when the view doesn't expect it to. It also supports using a nonce that is generated from any other point while processing the request, including other middleware.
| @@ -42,6 +42,11 @@ def regular_view(request, title): | |||
| return render(request, "basic.html", {"title": title}) | |||
|
|
|||
|
|
|||
| def csp_view(request): | |||
| """Use request.csp_nonce to inject it into the headers""" | |||
| return render(request, "basic.html", {"title": f"CSP {request.csp_nonce}"}) | |||
There was a problem hiding this comment.
The nonce needed to be rendered in the view. I chose to do it here.
|
The latest commit on django-csp changes the way nonce access is handled that may help this situation and not have to use the private attribute. If the nonce was used in the content it will still be available after the middleware has processed the response so other middleware can reference it. If the nonce was NOT used in the content it will raise the error, but also checking the nonce via You can see the changes in the PR: mozilla/django-csp#269 |
|
The lazy object solution may not work for the toolbar in the case where
This seems like the CSP for this response would include the nonce in the header, on the toolbar assets, but not the user's own static assets. I believe that will violate the CSP and cause things to not load/run properly. Please correct me if I'm wrong here. CSP isn't something I'm great with. I'd like to avoid having to dictate what order these middleware need to appear in. Though that may be me trying to have my cake and eat it too. |
|
OK, what if in step 4
|
|
@jwhitlock yup, yup. That would work well. A read-only csp_nonce is what the toolbar needs and why relying on the private attribute worked. I don't know how much of |
|
Thanks, I should be able to get that PR open today or tomorrow. Until then, maybe the solution is to exclude django-csp 4.0b4? It seems |
tim-schilling
changed the title
|
This has been updated to properly handle the new csp middleware as discussed in mozilla/django-csp#268 |
debug_toolbar/toolbar.py
Outdated
| because the lazy object wrapped value can generate a nonce by | ||
| accessing it. This isn't ideal when the toolbar is injecting context | ||
| into the response because it may set a nonce not used with | ||
| other assets. |
There was a problem hiding this comment.
I believe this comment is now out of date - no private attribute is being used.
There was a problem hiding this comment.
Thank you. Good catch!
| @@ -16,6 +16,7 @@ backported | |||
| biome | |||
| checkbox | |||
| contrib | |||
| csp | |||
There was a problem hiding this comment.
Yes, I think my note in the changelog triggered it as a word despite being django-csp
Description
This refactors how the CSP nonce is fetched. It's now done as a toolbar property and wraps the attribute
request.csp_nonceThis avoids the toolbar from generating a nonce that gets injected into the CSP header when the view doesn't expect it to. It also supports using a nonce that is generated from any other point while processing the request, including other middleware.
Fixes #2082
Checklist:
docs/changes.rst.