diff --git a/.coveragerc b/.coveragerc new file mode 100644 index 0000000..8856437 --- /dev/null +++ b/.coveragerc @@ -0,0 +1,4 @@ +[run] +source = csp +omit = + csp/tests/* diff --git a/csp/contrib/rate_limiting.py b/csp/contrib/rate_limiting.py index 2419c67..2c8025f 100644 --- a/csp/contrib/rate_limiting.py +++ b/csp/contrib/rate_limiting.py @@ -16,9 +16,32 @@ def build_policy(self, request, response): replace = getattr(response, "_csp_replace", {}) nonce = getattr(request, "_csp_nonce", None) - report_percentage = getattr(settings, "CSP_REPORT_PERCENTAGE") - include_report_uri = random.random() < report_percentage + policy = getattr(settings, "CONTENT_SECURITY_POLICY", {}) + + if policy is None: + return "" + + report_percentage = policy.get("REPORT_PERCENTAGE", 100) + include_report_uri = random.randint(0, 100) < report_percentage if not include_report_uri: replace["report-uri"] = None return build_policy(config=config, update=update, replace=replace, nonce=nonce) + + def build_policy_ro(self, request, response): + config = getattr(response, "_csp_config_ro", None) + update = getattr(response, "_csp_update_ro", None) + replace = getattr(response, "_csp_replace_ro", {}) + nonce = getattr(request, "_csp_nonce", None) + + policy = getattr(settings, "CONTENT_SECURITY_POLICY_REPORT_ONLY", {}) + + if policy is None: + return "" + + report_percentage = policy.get("REPORT_PERCENTAGE", 100) + include_report_uri = random.randint(0, 100) < report_percentage + if not include_report_uri: + replace["report-uri"] = None + + return build_policy(config=config, update=update, replace=replace, nonce=nonce, report_only=True) diff --git a/csp/decorators.py b/csp/decorators.py index 69d0f85..a96d244 100644 --- a/csp/decorators.py +++ b/csp/decorators.py @@ -1,24 +1,31 @@ from functools import wraps -def csp_exempt(f): - @wraps(f) - def _wrapped(*a, **kw): - r = f(*a, **kw) - r._csp_exempt = True - return r +def csp_exempt(REPORT_ONLY=None): + def decorator(f): + @wraps(f) + def _wrapped(*a, **kw): + r = f(*a, **kw) + if REPORT_ONLY: + r._csp_exempt_ro = True + else: + r._csp_exempt = True + return r - return _wrapped + return _wrapped + return decorator -def csp_update(**kwargs): - update = {k.lower().replace("_", "-"): v for k, v in kwargs.items()} +def csp_update(config, *, REPORT_ONLY=False): def decorator(f): @wraps(f) def _wrapped(*a, **kw): r = f(*a, **kw) - r._csp_update = update + if REPORT_ONLY: + r._csp_update_ro = config + else: + r._csp_update = config return r return _wrapped @@ -26,14 +33,15 @@ def _wrapped(*a, **kw): return decorator -def csp_replace(**kwargs): - replace = {k.lower().replace("_", "-"): v for k, v in kwargs.items()} - +def csp_replace(config, *, REPORT_ONLY=False): def decorator(f): @wraps(f) def _wrapped(*a, **kw): r = f(*a, **kw) - r._csp_replace = replace + if REPORT_ONLY: + r._csp_replace_ro = config + else: + r._csp_replace = config return r return _wrapped @@ -41,14 +49,17 @@ def _wrapped(*a, **kw): return decorator -def csp(**kwargs): - config = {k.lower().replace("_", "-"): [v] if isinstance(v, str) else v for k, v in kwargs.items()} +def csp(config, *, REPORT_ONLY=False): + config = {k: [v] if isinstance(v, str) else v for k, v in config.items()} def decorator(f): @wraps(f) def _wrapped(*a, **kw): r = f(*a, **kw) - r._csp_config = config + if REPORT_ONLY: + r._csp_config_ro = config + else: + r._csp_config = config return r return _wrapped diff --git a/csp/middleware.py b/csp/middleware.py index 35465d9..95bdfa4 100644 --- a/csp/middleware.py +++ b/csp/middleware.py @@ -21,8 +21,7 @@ class CSPMiddleware(MiddlewareMixin): """ def _make_nonce(self, request): - # Ensure that any subsequent calls to request.csp_nonce return the - # same value + # Ensure that any subsequent calls to request.csp_nonce return the same value if not getattr(request, "_csp_nonce", None): request._csp_nonce = base64.b64encode(os.urandom(16)).decode("ascii") return request._csp_nonce @@ -32,32 +31,36 @@ def process_request(self, request): request.csp_nonce = SimpleLazyObject(nonce) def process_response(self, request, response): - if getattr(response, "_csp_exempt", False): - return response - - # Check for ignored path prefix. - prefixes = getattr(settings, "CSP_EXCLUDE_URL_PREFIXES", ()) - if request.path_info.startswith(prefixes): - return response - # Check for debug view - status_code = response.status_code exempted_debug_codes = ( http_client.INTERNAL_SERVER_ERROR, http_client.NOT_FOUND, ) - if status_code in exempted_debug_codes and settings.DEBUG: + if response.status_code in exempted_debug_codes and settings.DEBUG: return response header = "Content-Security-Policy" - if getattr(settings, "CSP_REPORT_ONLY", False): - header += "-Report-Only" - - if header in response: - # Don't overwrite existing headers. - return response - - response[header] = self.build_policy(request, response) + header_ro = "Content-Security-Policy-Report-Only" + + csp = self.build_policy(request, response) + if csp: + # Only set header if not already set and not an excluded prefix and not exempted. + is_not_exempt = getattr(response, "_csp_exempt", False) is False + no_header = header not in response + prefixes = getattr(settings, "CONTENT_SECURITY_POLICY", {}).get("EXCLUDE_URL_PREFIXES", ()) + is_not_excluded = not request.path_info.startswith(prefixes) + if all((no_header, is_not_exempt, is_not_excluded)): + response[header] = csp + + csp_ro = self.build_policy_ro(request, response) + if csp_ro: + # Only set header if not already set and not an excluded prefix and not exempted. + is_not_exempt = getattr(response, "_csp_exempt_ro", False) is False + no_header = header_ro not in response + prefixes = getattr(settings, "CONTENT_SECURITY_POLICY_REPORT_ONLY", {}).get("EXCLUDE_URL_PREFIXES", ()) + is_not_excluded = not request.path_info.startswith(prefixes) + if all((no_header, is_not_exempt, is_not_excluded)): + response[header_ro] = csp_ro return response @@ -67,3 +70,10 @@ def build_policy(self, request, response): replace = getattr(response, "_csp_replace", None) nonce = getattr(request, "_csp_nonce", None) return build_policy(config=config, update=update, replace=replace, nonce=nonce) + + def build_policy_ro(self, request, response): + config = getattr(response, "_csp_config_ro", None) + update = getattr(response, "_csp_update_ro", None) + replace = getattr(response, "_csp_replace_ro", None) + nonce = getattr(request, "_csp_nonce", None) + return build_policy(config=config, update=update, replace=replace, nonce=nonce, report_only=True) diff --git a/csp/tests/settings.py b/csp/tests/settings.py index 7c97a1d..08b51a8 100644 --- a/csp/tests/settings.py +++ b/csp/tests/settings.py @@ -1,8 +1,8 @@ -import django - -CSP_REPORT_ONLY = False - -CSP_INCLUDE_NONCE_IN = ["default-src"] +CONTENT_SECURITY_POLICY = { + "DIRECTIVES": { + "include-nonce-in": ["default-src"], + } +} DATABASES = { "default": { @@ -39,8 +39,3 @@ "OPTIONS": {}, }, ] - - -# Django >1.6 requires `setup` call to initialise apps framework -if hasattr(django, "setup"): - django.setup() diff --git a/csp/tests/test_contrib.py b/csp/tests/test_contrib.py index 6b7bbc0..7c79bce 100644 --- a/csp/tests/test_contrib.py +++ b/csp/tests/test_contrib.py @@ -10,7 +10,7 @@ rf = RequestFactory() -@override_settings(CSP_REPORT_PERCENTAGE=0.1, CSP_REPORT_URI="x") +@override_settings(CONTENT_SECURITY_POLICY={"REPORT_PERCENTAGE": 10, "DIRECTIVES": {"report-uri": "x"}}) def test_report_percentage(): times_seen = 0 for _ in range(5000): @@ -21,3 +21,19 @@ def test_report_percentage(): times_seen += 1 # Roughly 10% assert 400 <= times_seen <= 600 + + +@override_settings(CONTENT_SECURITY_POLICY=None) +def test_no_csp(): + request = rf.get("/") + response = HttpResponse() + mw.process_response(request, response) + assert HEADER not in response + + +@override_settings(CONTENT_SECURITY_POLICY_REPORT_ONLY=None) +def test_no_csp_ro(): + request = rf.get("/") + response = HttpResponse() + mw.process_response(request, response) + assert f"{HEADER}-Report-Only" not in response diff --git a/csp/tests/test_decorators.py b/csp/tests/test_decorators.py index a877bc4..e3a2136 100644 --- a/csp/tests/test_decorators.py +++ b/csp/tests/test_decorators.py @@ -6,108 +6,247 @@ from csp.middleware import CSPMiddleware from csp.tests.utils import response -REQUEST = RequestFactory().get("/") mw = CSPMiddleware(response()) def test_csp_exempt(): - @csp_exempt + REQUEST = RequestFactory().get("/") + + @csp_exempt() + def view(request): + return HttpResponse() + + response = view(REQUEST) + assert response._csp_exempt is True + assert not hasattr(response, "_csp_exempt_ro") + + +def test_csp_exempt_ro(): + REQUEST = RequestFactory().get("/") + + @csp_exempt(REPORT_ONLY=True) def view(request): return HttpResponse() response = view(REQUEST) - assert response._csp_exempt + assert not hasattr(response, "_csp_exempt") + assert response._csp_exempt_ro is True -@override_settings(CSP_IMG_SRC=["foo.com"]) +@override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"img-src": ["foo.com"]}}) def test_csp_update(): + REQUEST = RequestFactory().get("/") + def view_without_decorator(request): return HttpResponse() response = view_without_decorator(REQUEST) mw.process_response(REQUEST, response) + assert "Content-Security-Policy-Report-Only" not in response.headers policy_list = sorted(response["Content-Security-Policy"].split("; ")) assert policy_list == ["default-src 'self'", "img-src foo.com"] - @csp_update(IMG_SRC="bar.com") + @csp_update({"img-src": ["bar.com"], "include-nonce-in": ["img-src"]}) def view_with_decorator(request): return HttpResponse() response = view_with_decorator(REQUEST) - assert response._csp_update == {"img-src": "bar.com"} + assert response._csp_update == {"img-src": ["bar.com"], "include-nonce-in": ["img-src"]} + mw.process_request(REQUEST) + assert REQUEST.csp_nonce # Here to trigger the nonce creation. mw.process_response(REQUEST, response) + assert "Content-Security-Policy-Report-Only" not in response.headers policy_list = sorted(response["Content-Security-Policy"].split("; ")) - assert policy_list == ["default-src 'self'", "img-src foo.com bar.com"] + assert policy_list == ["default-src 'self'", f"img-src foo.com bar.com 'nonce-{REQUEST.csp_nonce}'"] response = view_without_decorator(REQUEST) mw.process_response(REQUEST, response) + assert "Content-Security-Policy-Report-Only" not in response.headers policy_list = sorted(response["Content-Security-Policy"].split("; ")) assert policy_list == ["default-src 'self'", "img-src foo.com"] -@override_settings(CSP_IMG_SRC=["foo.com"]) +@override_settings(CONTENT_SECURITY_POLICY=None, CONTENT_SECURITY_POLICY_REPORT_ONLY={"DIRECTIVES": {"img-src": ["foo.com"]}}) +def test_csp_update_ro(): + REQUEST = RequestFactory().get("/") + + def view_without_decorator(request): + return HttpResponse() + + response = view_without_decorator(REQUEST) + mw.process_response(REQUEST, response) + assert "Content-Security-Policy" not in response.headers + policy_list = sorted(response["Content-Security-Policy-Report-Only"].split("; ")) + assert policy_list == ["default-src 'self'", "img-src foo.com"] + + @csp_update({"img-src": ["bar.com"], "include-nonce-in": ["img-src"]}, REPORT_ONLY=True) + def view_with_decorator(request): + return HttpResponse() + + response = view_with_decorator(REQUEST) + assert response._csp_update_ro == {"img-src": ["bar.com"], "include-nonce-in": ["img-src"]} + mw.process_request(REQUEST) + assert REQUEST.csp_nonce # Here to trigger the nonce creation. + mw.process_response(REQUEST, response) + assert "Content-Security-Policy" not in response.headers + policy_list = sorted(response["Content-Security-Policy-Report-Only"].split("; ")) + assert policy_list == ["default-src 'self'", f"img-src foo.com bar.com 'nonce-{REQUEST.csp_nonce}'"] + + response = view_without_decorator(REQUEST) + mw.process_response(REQUEST, response) + assert "Content-Security-Policy" not in response.headers + policy_list = sorted(response["Content-Security-Policy-Report-Only"].split("; ")) + assert policy_list == ["default-src 'self'", "img-src foo.com"] + + +@override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"img-src": ["foo.com"]}}) def test_csp_replace(): + REQUEST = RequestFactory().get("/") + def view_without_decorator(request): return HttpResponse() response = view_without_decorator(REQUEST) mw.process_response(REQUEST, response) + assert "Content-Security-Policy-Report-Only" not in response.headers policy_list = sorted(response["Content-Security-Policy"].split("; ")) assert policy_list == ["default-src 'self'", "img-src foo.com"] - @csp_replace(IMG_SRC="bar.com") + @csp_replace({"img-src": ["bar.com"]}) def view_with_decorator(request): return HttpResponse() response = view_with_decorator(REQUEST) - assert response._csp_replace == {"img-src": "bar.com"} + assert response._csp_replace == {"img-src": ["bar.com"]} mw.process_response(REQUEST, response) + assert "Content-Security-Policy-Report-Only" not in response.headers policy_list = sorted(response["Content-Security-Policy"].split("; ")) assert policy_list == ["default-src 'self'", "img-src bar.com"] response = view_without_decorator(REQUEST) mw.process_response(REQUEST, response) + assert "Content-Security-Policy-Report-Only" not in response.headers policy_list = sorted(response["Content-Security-Policy"].split("; ")) assert policy_list == ["default-src 'self'", "img-src foo.com"] - @csp_replace(IMG_SRC=None) + @csp_replace({"img-src": None}) def view_removing_directive(request): return HttpResponse() response = view_removing_directive(REQUEST) mw.process_response(REQUEST, response) + assert "Content-Security-Policy-Report-Only" not in response.headers policy_list = sorted(response["Content-Security-Policy"].split("; ")) assert policy_list == ["default-src 'self'"] +@override_settings(CONTENT_SECURITY_POLICY=None, CONTENT_SECURITY_POLICY_REPORT_ONLY={"DIRECTIVES": {"img-src": ["foo.com"]}}) +def test_csp_replace_ro(): + REQUEST = RequestFactory().get("/") + + def view_without_decorator(request): + return HttpResponse() + + response = view_without_decorator(REQUEST) + mw.process_response(REQUEST, response) + assert "Content-Security-Policy" not in response.headers + policy_list = sorted(response["Content-Security-Policy-Report-Only"].split("; ")) + assert policy_list == ["default-src 'self'", "img-src foo.com"] + + @csp_replace({"img-src": ["bar.com"]}, REPORT_ONLY=True) + def view_with_decorator(request): + return HttpResponse() + + response = view_with_decorator(REQUEST) + assert response._csp_replace_ro == {"img-src": ["bar.com"]} + mw.process_response(REQUEST, response) + assert "Content-Security-Policy" not in response.headers + policy_list = sorted(response["Content-Security-Policy-Report-Only"].split("; ")) + assert policy_list == ["default-src 'self'", "img-src bar.com"] + + response = view_without_decorator(REQUEST) + mw.process_response(REQUEST, response) + assert "Content-Security-Policy" not in response.headers + policy_list = sorted(response["Content-Security-Policy-Report-Only"].split("; ")) + assert policy_list == ["default-src 'self'", "img-src foo.com"] + + @csp_replace({"img-src": None}, REPORT_ONLY=True) + def view_removing_directive(request): + return HttpResponse() + + response = view_removing_directive(REQUEST) + mw.process_response(REQUEST, response) + assert "Content-Security-Policy" not in response.headers + policy_list = sorted(response["Content-Security-Policy-Report-Only"].split("; ")) + assert policy_list == ["default-src 'self'"] + + def test_csp(): + REQUEST = RequestFactory().get("/") + def view_without_decorator(request): return HttpResponse() response = view_without_decorator(REQUEST) mw.process_response(REQUEST, response) + assert "Content-Security-Policy-Report-Only" not in response.headers policy_list = sorted(response["Content-Security-Policy"].split("; ")) assert policy_list == ["default-src 'self'"] - @csp(IMG_SRC=["foo.com"], FONT_SRC=["bar.com"]) + @csp({"img-src": ["foo.com"], "font-src": ["bar.com"]}) def view_with_decorator(request): return HttpResponse() response = view_with_decorator(REQUEST) assert response._csp_config == {"img-src": ["foo.com"], "font-src": ["bar.com"]} mw.process_response(REQUEST, response) + assert "Content-Security-Policy-Report-Only" not in response.headers + policy_list = sorted(response["Content-Security-Policy"].split("; ")) + assert policy_list == ["font-src bar.com", "img-src foo.com"] + + response = view_without_decorator(REQUEST) + mw.process_response(REQUEST, response) + assert "Content-Security-Policy-Report-Only" not in response.headers + policy_list = sorted(response["Content-Security-Policy"].split("; ")) + assert policy_list == ["default-src 'self'"] + + +def test_csp_ro(): + REQUEST = RequestFactory().get("/") + + def view_without_decorator(request): + return HttpResponse() + + response = view_without_decorator(REQUEST) + mw.process_response(REQUEST, response) + assert "Content-Security-Policy-Report-Only" not in response.headers policy_list = sorted(response["Content-Security-Policy"].split("; ")) + assert policy_list == ["default-src 'self'"] + + @csp({"img-src": ["foo.com"], "font-src": ["bar.com"]}, REPORT_ONLY=True) + @csp({}) # CSP with no directives effectively removes the header. + def view_with_decorator(request): + return HttpResponse() + + response = view_with_decorator(REQUEST) + assert response._csp_config_ro == {"img-src": ["foo.com"], "font-src": ["bar.com"]} + mw.process_response(REQUEST, response) + assert "Content-Security-Policy" not in response.headers + policy_list = sorted(response["Content-Security-Policy-Report-Only"].split("; ")) assert policy_list == ["font-src bar.com", "img-src foo.com"] response = view_without_decorator(REQUEST) mw.process_response(REQUEST, response) + assert "Content-Security-Policy-Report-Only" not in response.headers policy_list = sorted(response["Content-Security-Policy"].split("; ")) assert policy_list == ["default-src 'self'"] def test_csp_string_values(): # Test backwards compatibility where values were strings - @csp(IMG_SRC="foo.com", FONT_SRC="bar.com") + REQUEST = RequestFactory().get("/") + + @csp({"img-src": "foo.com", "font-src": "bar.com"}) def view_with_decorator(request): return HttpResponse() diff --git a/csp/tests/test_middleware.py b/csp/tests/test_middleware.py index 742ad1c..29b2169 100644 --- a/csp/tests/test_middleware.py +++ b/csp/tests/test_middleware.py @@ -10,6 +10,8 @@ from csp.tests.utils import response HEADER = "Content-Security-Policy" +HEADER_RO = "Content-Security-Policy-Report-Only" + mw = CSPMiddleware(response()) rf = RequestFactory() @@ -21,6 +23,18 @@ def test_add_header(): assert HEADER in response +@override_settings( + CONTENT_SECURITY_POLICY={"DIRECTIVES": {"default-src": ["example.com"]}}, + CONTENT_SECURITY_POLICY_REPORT_ONLY={"DIRECTIVES": {"default-src": ["'self'"]}}, +) +def test_both_headers(): + request = rf.get("/") + response = HttpResponse() + mw.process_response(request, response) + assert HEADER in response + assert HEADER_RO in response + + def test_exempt(): request = rf.get("/") response = HttpResponse() @@ -29,7 +43,7 @@ def test_exempt(): assert HEADER not in response -@override_settings(CSP_EXCLUDE_URL_PREFIXES=("/inlines-r-us")) +@override_settings(CONTENT_SECURITY_POLICY={"EXCLUDE_URL_PREFIXES": ["/inlines-r-us"]}) def text_exclude(): request = rf.get("/inlines-r-us/foo") response = HttpResponse() @@ -37,7 +51,10 @@ def text_exclude(): assert HEADER not in response -@override_settings(CSP_REPORT_ONLY=True) +@override_settings( + CONTENT_SECURITY_POLICY=None, + CONTENT_SECURITY_POLICY_REPORT_ONLY={"DIRECTIVES": {"default-src": ["'self'"]}}, +) def test_report_only(): request = rf.get("/") response = HttpResponse() @@ -70,7 +87,7 @@ def test_use_update(): assert response[HEADER] == "default-src 'self' example.com" -@override_settings(CSP_IMG_SRC=["foo.com"]) +@override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"img-src": ["foo.com"]}}) def test_use_replace(): request = rf.get("/") response = HttpResponse() @@ -130,7 +147,7 @@ def test_nonce_regenerated_on_new_request(): assert nonce2 not in response1[HEADER] -@override_settings(CSP_INCLUDE_NONCE_IN=[]) +@override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"include-nonce-in": []}}) def test_no_nonce_when_disabled_by_settings(): request = rf.get("/") mw.process_request(request) diff --git a/csp/tests/test_utils.py b/csp/tests/test_utils.py index e4e30b6..0784f3e 100644 --- a/csp/tests/test_utils.py +++ b/csp/tests/test_utils.py @@ -1,8 +1,7 @@ -from django.conf import settings from django.test.utils import override_settings from django.utils.functional import lazy -from csp.utils import build_policy +from csp.utils import build_policy, default_config, DEFAULT_DIRECTIVES def policy_eq(a, b, msg="%r != %r"): @@ -23,121 +22,142 @@ def literal(s): lazy_literal = lazy(literal, str) -@override_settings(CSP_DEFAULT_SRC=["example.com", "example2.com"]) +def test_default_config_none(): + assert default_config(None) is None + + +def test_default_config_empty(): + # Test `default_config` with an empty dict returns defaults. + assert default_config({}) == DEFAULT_DIRECTIVES + + +def test_default_config_drops_unknown(): + # Test `default_config` drops unknown keys. + config = {"foo-src": ["example.com"]} + assert default_config(config) == DEFAULT_DIRECTIVES + + +def test_default_config(): + # Test `default_config` keeps config along with defaults. + config = {"img-src": ["example.com"]} + assert default_config(config) == {**DEFAULT_DIRECTIVES, **config} + + +@override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"default-src": ["example.com", "example2.com"]}}) def test_default_src(): policy = build_policy() assert "default-src example.com example2.com" == policy -@override_settings(CSP_SCRIPT_SRC=["example.com"]) +@override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"script-src": ["example.com"]}}) def test_script_src(): policy = build_policy() policy_eq("default-src 'self'; script-src example.com", policy) -@override_settings(CSP_SCRIPT_SRC_ATTR=["example.com"]) +@override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"script-src-attr": ["example.com"]}}) def test_script_src_attr(): policy = build_policy() policy_eq("default-src 'self'; script-src-attr example.com", policy) -@override_settings(CSP_SCRIPT_SRC_ELEM=["example.com"]) +@override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"script-src-elem": ["example.com"]}}) def test_script_src_elem(): policy = build_policy() policy_eq("default-src 'self'; script-src-elem example.com", policy) -@override_settings(CSP_OBJECT_SRC=["example.com"]) +@override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"object-src": ["example.com"]}}) def test_object_src(): policy = build_policy() policy_eq("default-src 'self'; object-src example.com", policy) -@override_settings(CSP_PREFETCH_SRC=["example.com"]) +@override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"prefetch-src": ["example.com"]}}) def test_prefetch_src(): policy = build_policy() policy_eq("default-src 'self'; prefetch-src example.com", policy) -@override_settings(CSP_STYLE_SRC=["example.com"]) +@override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"style-src": ["example.com"]}}) def test_style_src(): policy = build_policy() policy_eq("default-src 'self'; style-src example.com", policy) -@override_settings(CSP_STYLE_SRC_ATTR=["example.com"]) +@override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"style-src-attr": ["example.com"]}}) def test_style_src_attr(): policy = build_policy() policy_eq("default-src 'self'; style-src-attr example.com", policy) -@override_settings(CSP_STYLE_SRC_ELEM=["example.com"]) +@override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"style-src-elem": ["example.com"]}}) def test_style_src_elem(): policy = build_policy() policy_eq("default-src 'self'; style-src-elem example.com", policy) -@override_settings(CSP_IMG_SRC=["example.com"]) +@override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"img-src": ["example.com"]}}) def test_img_src(): policy = build_policy() policy_eq("default-src 'self'; img-src example.com", policy) -@override_settings(CSP_MEDIA_SRC=["example.com"]) +@override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"media-src": ["example.com"]}}) def test_media_src(): policy = build_policy() policy_eq("default-src 'self'; media-src example.com", policy) -@override_settings(CSP_FRAME_SRC=["example.com"]) +@override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"frame-src": ["example.com"]}}) def test_frame_src(): policy = build_policy() policy_eq("default-src 'self'; frame-src example.com", policy) -@override_settings(CSP_FONT_SRC=["example.com"]) +@override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"font-src": ["example.com"]}}) def test_font_src(): policy = build_policy() policy_eq("default-src 'self'; font-src example.com", policy) -@override_settings(CSP_CONNECT_SRC=["example.com"]) +@override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"connect-src": ["example.com"]}}) def test_connect_src(): policy = build_policy() policy_eq("default-src 'self'; connect-src example.com", policy) -@override_settings(CSP_SANDBOX=["allow-scripts"]) +@override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"sandbox": ["allow-scripts"]}}) def test_sandbox(): policy = build_policy() policy_eq("default-src 'self'; sandbox allow-scripts", policy) -@override_settings(CSP_SANDBOX=[]) +@override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"sandbox": []}}) def test_sandbox_empty(): policy = build_policy() policy_eq("default-src 'self'; sandbox", policy) -@override_settings(CSP_REPORT_URI="/foo") +@override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"report-uri": "/foo"}}) def test_report_uri(): policy = build_policy() policy_eq("default-src 'self'; report-uri /foo", policy) -@override_settings(CSP_REPORT_URI=lazy_literal("/foo")) +@override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"report-uri": lazy_literal("/foo")}}) def test_report_uri_lazy(): policy = build_policy() policy_eq("default-src 'self'; report-uri /foo", policy) -@override_settings(CSP_REPORT_TO="some_endpoint") +@override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"report-to": "some_endpoint"}}) def test_report_to(): policy = build_policy() policy_eq("default-src 'self'; report-to some_endpoint", policy) -@override_settings(CSP_IMG_SRC=["example.com"]) +@override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"img-src": ["example.com"]}}) def test_update_img(): policy = build_policy(update={"img-src": "example2.com"}) policy_eq("default-src 'self'; img-src example.com example2.com", policy) @@ -149,7 +169,7 @@ def test_update_missing_setting(): policy_eq("default-src 'self'; img-src example.com", policy) -@override_settings(CSP_IMG_SRC=["example.com"]) +@override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"img-src": ["example.com"]}}) def test_replace_img(): policy = build_policy(replace={"img-src": "example2.com"}) policy_eq("default-src 'self'; img-src example2.com", policy) @@ -166,7 +186,7 @@ def test_config(): policy_eq("default-src 'none'; img-src 'self'", policy) -@override_settings(CSP_IMG_SRC=("example.com",)) +@override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"img-src": ("example.com",)}}) def test_update_string(): """ GitHub issue #40 - given project settings as a tuple, and @@ -176,7 +196,7 @@ def test_update_string(): policy_eq("default-src 'self'; img-src example.com example2.com", policy) -@override_settings(CSP_IMG_SRC=("example.com",)) +@override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"img-src": ("example.com",)}}) def test_replace_string(): """ Demonstrate that GitHub issue #40 doesn't affect replacements @@ -185,67 +205,67 @@ def test_replace_string(): policy_eq("default-src 'self'; img-src example2.com", policy) -@override_settings(CSP_FORM_ACTION=["example.com"]) +@override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"form-action": ["example.com"]}}) def test_form_action(): policy = build_policy() policy_eq("default-src 'self'; form-action example.com", policy) -@override_settings(CSP_BASE_URI=["example.com"]) +@override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"base-uri": ["example.com"]}}) def test_base_uri(): policy = build_policy() policy_eq("default-src 'self'; base-uri example.com", policy) -@override_settings(CSP_CHILD_SRC=["example.com"]) +@override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"child-src": ["example.com"]}}) def test_child_src(): policy = build_policy() policy_eq("default-src 'self'; child-src example.com", policy) -@override_settings(CSP_FRAME_ANCESTORS=["example.com"]) +@override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"frame-ancestors": ["example.com"]}}) def test_frame_ancestors(): policy = build_policy() policy_eq("default-src 'self'; frame-ancestors example.com", policy) -@override_settings(CSP_NAVIGATE_TO=["example.com"]) +@override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"navigate-to": ["example.com"]}}) def test_navigate_to(): policy = build_policy() policy_eq("default-src 'self'; navigate-to example.com", policy) -@override_settings(CSP_MANIFEST_SRC=["example.com"]) +@override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"manifest-src": ["example.com"]}}) def test_manifest_src(): policy = build_policy() policy_eq("default-src 'self'; manifest-src example.com", policy) -@override_settings(CSP_WORKER_SRC=["example.com"]) +@override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"worker-src": ["example.com"]}}) def test_worker_src(): policy = build_policy() policy_eq("default-src 'self'; worker-src example.com", policy) -@override_settings(CSP_PLUGIN_TYPES=["application/pdf"]) +@override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"plugin-types": ["application/pdf"]}}) def test_plugin_types(): policy = build_policy() policy_eq("default-src 'self'; plugin-types application/pdf", policy) -@override_settings(CSP_REQUIRE_SRI_FOR=["script"]) +@override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"require-sri-for": ["script"]}}) def test_require_sri_for(): policy = build_policy() policy_eq("default-src 'self'; require-sri-for script", policy) -@override_settings(CSP_REQUIRE_TRUSTED_TYPES_FOR=["'script'"]) +@override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"require-trusted-types-for": ["'script'"]}}) def test_require_trusted_types_for(): policy = build_policy() policy_eq("default-src 'self'; require-trusted-types-for 'script'", policy) -@override_settings(CSP_TRUSTED_TYPES=["strictPolicy", "laxPolicy", "default", "'allow-duplicates'"]) +@override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"trusted-types": ["strictPolicy", "laxPolicy", "default", "'allow-duplicates'"]}}) def test_trusted_types(): policy = build_policy() policy_eq( @@ -254,13 +274,13 @@ def test_trusted_types(): ) -@override_settings(CSP_UPGRADE_INSECURE_REQUESTS=True) +@override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"upgrade-insecure-requests": True}}) def test_upgrade_insecure_requests(): policy = build_policy() policy_eq("default-src 'self'; upgrade-insecure-requests", policy) -@override_settings(CSP_BLOCK_ALL_MIXED_CONTENT=True) +@override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"block-all-mixed-content": True}}) def test_block_all_mixed_content(): policy = build_policy() policy_eq("default-src 'self'; block-all-mixed-content", policy) @@ -271,7 +291,7 @@ def test_nonce(): policy_eq("default-src 'self' 'nonce-abc123'", policy) -@override_settings(CSP_INCLUDE_NONCE_IN=["script-src", "style-src"]) +@override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"include-nonce-in": ["script-src", "style-src"]}}) def test_nonce_include_in(): policy = build_policy(nonce="abc123") policy_eq( @@ -280,8 +300,16 @@ def test_nonce_include_in(): ) -@override_settings() def test_nonce_include_in_absent(): - del settings.CSP_INCLUDE_NONCE_IN policy = build_policy(nonce="abc123") policy_eq("default-src 'self' 'nonce-abc123'", policy) + + +def test_boolean_directives(): + for directive in ["upgrade-insecure-requests", "block-all-mixed-content"]: + with override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {directive: True}}): + policy = build_policy() + policy_eq(f"default-src 'self'; {directive}", policy) + with override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {directive: False}}): + policy = build_policy() + policy_eq("default-src 'self'", policy) diff --git a/csp/utils.py b/csp/utils.py index 821912d..cf62ee1 100644 --- a/csp/utils.py +++ b/csp/utils.py @@ -7,56 +7,78 @@ from django.utils.encoding import force_str -def from_settings(): - return { - # Fetch Directives - "child-src": getattr(settings, "CSP_CHILD_SRC", None), - "connect-src": getattr(settings, "CSP_CONNECT_SRC", None), - "default-src": getattr(settings, "CSP_DEFAULT_SRC", ["'self'"]), - "script-src": getattr(settings, "CSP_SCRIPT_SRC", None), - "script-src-attr": getattr(settings, "CSP_SCRIPT_SRC_ATTR", None), - "script-src-elem": getattr(settings, "CSP_SCRIPT_SRC_ELEM", None), - "object-src": getattr(settings, "CSP_OBJECT_SRC", None), - "style-src": getattr(settings, "CSP_STYLE_SRC", None), - "style-src-attr": getattr(settings, "CSP_STYLE_SRC_ATTR", None), - "style-src-elem": getattr(settings, "CSP_STYLE_SRC_ELEM", None), - "font-src": getattr(settings, "CSP_FONT_SRC", None), - "frame-src": getattr(settings, "CSP_FRAME_SRC", None), - "img-src": getattr(settings, "CSP_IMG_SRC", None), - "manifest-src": getattr(settings, "CSP_MANIFEST_SRC", None), - "media-src": getattr(settings, "CSP_MEDIA_SRC", None), - "prefetch-src": getattr(settings, "CSP_PREFETCH_SRC", None), - "worker-src": getattr(settings, "CSP_WORKER_SRC", None), - # Document Directives - "base-uri": getattr(settings, "CSP_BASE_URI", None), - "plugin-types": getattr(settings, "CSP_PLUGIN_TYPES", None), - "sandbox": getattr(settings, "CSP_SANDBOX", None), - # Navigation Directives - "form-action": getattr(settings, "CSP_FORM_ACTION", None), - "frame-ancestors": getattr(settings, "CSP_FRAME_ANCESTORS", None), - "navigate-to": getattr(settings, "CSP_NAVIGATE_TO", None), - # Reporting Directives - "report-uri": getattr(settings, "CSP_REPORT_URI", None), - "report-to": getattr(settings, "CSP_REPORT_TO", None), - "require-sri-for": getattr(settings, "CSP_REQUIRE_SRI_FOR", None), - # trusted Types Directives - "require-trusted-types-for": getattr(settings, "CSP_REQUIRE_TRUSTED_TYPES_FOR", None), - "trusted-types": getattr(settings, "CSP_TRUSTED_TYPES", None), - # Other Directives - "upgrade-insecure-requests": getattr(settings, "CSP_UPGRADE_INSECURE_REQUESTS", False), - "block-all-mixed-content": getattr(settings, "CSP_BLOCK_ALL_MIXED_CONTENT", False), - } - - -def build_policy(config=None, update=None, replace=None, nonce=None): +DEFAULT_DIRECTIVES = { + # Fetch Directives + "child-src": None, + "connect-src": None, + "default-src": ["'self'"], + "script-src": None, + "script-src-attr": None, + "script-src-elem": None, + "object-src": None, + "style-src": None, + "style-src-attr": None, + "style-src-elem": None, + "font-src": None, + "frame-src": None, + "img-src": None, + "manifest-src": None, + "media-src": None, + "prefetch-src": None, # Deprecated. + # Document Directives + "base-uri": None, + "plugin-types": None, # Deprecated. + "sandbox": None, + # Navigation Directives + "form-action": None, + "frame-ancestors": None, + "navigate-to": None, + # Reporting Directives + "report-uri": None, + "report-to": None, + "require-sri-for": None, + # Trusted Types Directives + "require-trusted-types-for": None, + "trusted-types": None, + # Other Directives + "webrtc": None, + "worker-src": None, + # Directives Defined in Other Documents + "upgrade-insecure-requests": None, + "block-all-mixed-content": None, # Deprecated. + # Pseudo-directive that affects other directives. + "include-nonce-in": None, +} + + +def default_config(csp): + if csp is None: + return None + # Make a copy of the passed in config to avoid mutating it, and also to drop any unknown keys. + config = {} + for key, value in DEFAULT_DIRECTIVES.items(): + config[key] = csp.get(key, value) + return config + + +def build_policy(config=None, update=None, replace=None, nonce=None, report_only=False): """Builds the policy as a string from the settings.""" if config is None: - config = from_settings() - # Be careful, don't mutate config as it could be from settings + if report_only: + config = getattr(settings, "CONTENT_SECURITY_POLICY_REPORT_ONLY", {}) + config = default_config(config.get("DIRECTIVES", {})) if config else None + else: + config = getattr(settings, "CONTENT_SECURITY_POLICY", {}) + config = default_config(config.get("DIRECTIVES", {})) if config else None + + # If config is still `None`, return empty policy. + if config is None: + return "" update = update if update is not None else {} replace = replace if replace is not None else {} + csp = {} for k in set(chain(config, replace)): @@ -80,8 +102,10 @@ def build_policy(config=None, update=None, replace=None, nonce=None): csp[k] += tuple(v) report_uri = csp.pop("report-uri", None) + include_nonce_in = csp.pop("include-nonce-in", []) policy_parts = {} + for key, value in csp.items(): # flag directives with an empty directive value if len(value) and value[0] is True: @@ -96,10 +120,9 @@ def build_policy(config=None, update=None, replace=None, nonce=None): policy_parts["report-uri"] = " ".join(report_uri) if nonce: - include_nonce_in = getattr(settings, "CSP_INCLUDE_NONCE_IN", ["default-src"]) for section in include_nonce_in: policy = policy_parts.get(section, "") - policy_parts[section] = ("{} {}".format(policy, "'nonce-%s'" % nonce)).strip() + policy_parts[section] = f"{policy} 'nonce-{nonce}'".strip() return "; ".join([f"{k} {val}".strip() for k, val in policy_parts.items()]) diff --git a/docs/configuration.rst b/docs/configuration.rst index 7126391..261e9fb 100644 --- a/docs/configuration.rst +++ b/docs/configuration.rst @@ -15,149 +15,227 @@ before configuring django-csp. policies and even errors when mistakenly configuring them as a ``string``. +============= +Configuration +============= + +All configuration of django-csp is done in your Django settings file with the +``CONTENT_SECURITY_POLICY`` setting or the ``CONTENT_SECURITY_POLICY_REPORT_ONLY`` setting. Each of these +settings expects a dictionary representing a policy. + +The ``CONTENT_SECURITY_POLICY`` setting is your enforcable policy. + +The ``CONTENT_SECURITY_POLICY_REPORT_ONLY`` setting is your report-only policy. This policy is +used to test the policy without breaking the site. It is useful when setting this policy to be +slightly more strict than the default policy to see what would be blocked if the policy was enforced. + +The following is an example of a policy configuration with a default policy and a report-only +policy. The default policy is considered a "relaxed" policy that allows for the most flexibility +while still providing a good level of security. The report-only policy is considered a step towards +a more slightly strict policy and is used to test the policy without breaking the site. + +.. code-block:: python + + CONTENT_SECURITY_POLICY = { + "EXCLUDE_URL_PREFIXES": ["/admin/"], + "DIRECTIVES": { + "default-src": ["'self'", "cdn.example.net"], + "frame-ancestors": ["'self'"], + "form-action": ["'self'"], + "report-uri": "/csp-report/", + } + } + + CONTENT_SECURITY_POLICY_REPORT_ONLY = { + "EXCLUDE_URL_PREFIXES": ["/admin/"], + "DIRECTIVES": { + 'default-src': ["'none'"], + 'connect-src': ["'self'"], + 'img-src': ["'self'"], + 'form-action': ["'self'"], + 'frame-ancestors': ["'self'"], + 'script-src': ["'self'"], + 'style-src': ["'self'"], + 'upgrade-insecure-requests': True, + 'report-uri': "/csp-report/", + } + } + + Policy Settings =============== -These settings affect the policy in the header. The defaults are in *italics*. +At the top level of the policy dictionary, these are the keys that can be used to configure the +policy. -.. note:: - Deprecated features of CSP in general have been moved to the bottom of this list. +``EXCLUDE_URL_PREFIXES`` + A ``tuple`` of URL prefixes. URLs beginning with any of these will not get the CSP headers. + *()* -.. warning:: - The "special" source values of ``'self'``, ``'unsafe-inline'``, - ``'unsafe-eval'``, ``'none'`` and hash-source (``'sha256-...'``) must be - quoted! e.g.: ``CSP_DEFAULT_SRC = ("'self'",)``. Without quotes they will - not work as intended. + .. warning:: -``CSP_DEFAULT_SRC`` - Set the ``default-src`` directive. A ``tuple`` or ``list`` of values, - e.g.: ``("'self'", 'cdn.example.net')``. *["'self'"]* + Excluding any path on your site will eliminate the benefits of CSP everywhere on your site. + The typical browser security model for JavaScript considers all paths alike. A Cross-Site + Scripting flaw on, e.g., ``excluded-page/`` can therefore be leveraged to access everything + on the same origin. -``CSP_SCRIPT_SRC`` - Set the ``script-src`` directive. A ``tuple`` or ``list``. *None* + # TODO: I can't find any documentation on the above warning. -``CSP_SCRIPT_SRC_ATTR`` - Set the ``script-src-attr`` directive. A ``tuple`` or ``list``. *None* +``REPORT_PERCENTAGE`` + Percentage of requests that should see the ``report-uri`` directive. + Use this to throttle the number of CSP violation reports made to your + ``report-uri``. An **integer** between 0 and 100 (0 = no reports at all). + Ignored if ``report-uri`` isn't set. -``CSP_SCRIPT_SRC_ELEM`` - Set the ``script-src-elem`` directive. A ``tuple`` or ``list``. *None* +``DIRECTIVES`` + A dictionary of policy directives. Each key in the dictionary is a directive and the value is a + list of sources for that directive. The following is a list of all the directives that can be + configured. -``CSP_IMG_SRC`` - Set the ``img-src`` directive. A ``tuple`` or ``list``. *None* + .. note:: + The "special" source values of ``'self'``, ``'unsafe-inline'``, ``'unsafe-eval'``, + ``'none'`` and hash-source (``'sha256-...'``) must be quoted! + e.g.: ``"default-src": ["'self'"]``. Without quotes they will not work as intended. -``CSP_OBJECT_SRC`` - Set the ``object-src`` directive. A ``tuple`` or ``list``. *None* + .. note:: + Deprecated features of CSP in general have been moved to the bottom of this list. -``CSP_MEDIA_SRC`` - Set the ``media-src`` directive. A ``tuple`` or ``list``. *None* + .. warning:: + The ``'unsafe-inline'`` and ``'unsafe-eval'`` sources are considered harmful and should be + avoided. They are included here for completeness, but should not be used in production. -``CSP_FRAME_SRC`` - Set the ``frame-src`` directive. A ``tuple`` or ``list``. *None* + ``default-src`` + Set the ``default-src`` directive. A ``tuple`` or ``list`` of values, + e.g.: ``("'self'", 'cdn.example.net')``. *["'self'"]* -``CSP_FONT_SRC`` - Set the ``font-src`` directive. A ``tuple`` or ``list``. *None* + ``script-src`` + Set the ``script-src`` directive. A ``tuple`` or ``list``. *None* -``CSP_CONNECT_SRC`` - Set the ``connect-src`` directive. A ``tuple`` or ``list``. *None* + ``script-src-attr`` + Set the ``script-src-attr`` directive. A ``tuple`` or ``list``. *None* -``CSP_STYLE_SRC`` - Set the ``style-src`` directive. A ``tuple`` or ``list``. *None* + ``script-src-elem`` + Set the ``script-src-elem`` directive. A ``tuple`` or ``list``. *None* -``CSP_STYLE_SRC_ATTR`` - Set the ``style-src-attr`` directive. A ``tuple`` or ``list``. *None* + ``img-src`` + Set the ``img-src`` directive. A ``tuple`` or ``list``. *None* -``CSP_STYLE_SRC_ELEM`` - Set the ``style-src-elem`` directive. A ``tuple`` or ``list``. *None* + ``object-src`` + Set the ``object-src`` directive. A ``tuple`` or ``list``. *None* -``CSP_BASE_URI`` - Set the ``base-uri`` directive. A ``tuple`` or ``list``. *None* + ``media-src`` + Set the ``media-src`` directive. A ``tuple`` or ``list``. *None* - Note: This doesn't use ``default-src`` as a fall-back. + ``frame-src`` + Set the ``frame-src`` directive. A ``tuple`` or ``list``. *None* -``CSP_CHILD_SRC`` - Set the ``child-src`` directive. A ``tuple`` or ``list``. *None* + ``font-src`` + Set the ``font-src`` directive. A ``tuple`` or ``list``. *None* -``CSP_FRAME_ANCESTORS`` - Set the ``frame-ancestors`` directive. A ``tuple`` or ``list``. *None* + ``connect-src`` + Set the ``connect-src`` directive. A ``tuple`` or ``list``. *None* - Note: This doesn't use ``default-src`` as a fall-back. + ``style-src`` + Set the ``style-src`` directive. A ``tuple`` or ``list``. *None* -``CSP_NAVIGATE_TO`` - Set the ``navigate-to`` directive. A ``tuple`` or ``list``. *None* + ``style-src-attr`` + Set the ``style-src-attr`` directive. A ``tuple`` or ``list``. *None* - Note: This doesn't use ``default-src`` as a fall-back. + ``style-src-elem`` + Set the ``style-src-elem`` directive. A ``tuple`` or ``list``. *None* -``CSP_FORM_ACTION`` - Set the ``FORM_ACTION`` directive. A ``tuple`` or ``list``. *None* + ``base-uri`` + Set the ``base-uri`` directive. A ``tuple`` or ``list``. *None* - Note: This doesn't use ``default-src`` as a fall-back. + Note: This doesn't use ``default-src`` as a fall-back. -``CSP_SANDBOX`` - Set the ``sandbox`` directive. A ``tuple`` or ``list``. *None* + ``child-src`` + Set the ``child-src`` directive. A ``tuple`` or ``list``. *None* - Note: This doesn't use ``default-src`` as a fall-back. + ``frame-ancestors`` + Set the ``frame-ancestors`` directive. A ``tuple`` or ``list``. *None* -``CSP_REPORT_URI`` - Set the ``report-uri`` directive. A ``tuple`` or ``list`` of URIs. - Each URI can be a full or relative URI. *None* + Note: This doesn't use ``default-src`` as a fall-back. - Note: This doesn't use ``default-src`` as a fall-back. + ``navigate-to`` + Set the ``navigate-to`` directive. A ``tuple`` or ``list``. *None* + + Note: This doesn't use ``default-src`` as a fall-back. + + ``form-action`` + Set the ``FORM_ACTION`` directive. A ``tuple`` or ``list``. *None* + + Note: This doesn't use ``default-src`` as a fall-back. + + ``sandbox`` + Set the ``sandbox`` directive. A ``tuple`` or ``list``. *None* -``CSP_REPORT_TO`` - Set the ``report-to`` directive. A ``string`` describing a reporting - group. *None* + Note: This doesn't use ``default-src`` as a fall-back. - See Section 1.2: https://w3c.github.io/reporting/#group + ``report-uri`` + Set the ``report-uri`` directive. A ``tuple`` or ``list`` of URIs. + Each URI can be a full or relative URI. *None* - Also `see this MDN note on `_ ``report-uri`` and ``report-to``. + Note: This doesn't use ``default-src`` as a fall-back. -``CSP_MANIFEST_SRC`` - Set the ``manifest-src`` directive. A ``tuple`` or ``list``. *None* + ``report-to`` + Set the ``report-to`` directive. A ``string`` describing a reporting + group. *None* -``CSP_WORKER_SRC`` - Set the ``worker-src`` directive. A ``tuple`` or ``list``. *None* + See Section 1.2: https://w3c.github.io/reporting/#group -``CSP_REQUIRE_SRI_FOR`` - Set the ``require-sri-for`` directive. A ``tuple`` or ``list``. *None* + Also `see this MDN note on `_ ``report-uri`` and ``report-to``. - Valid values: a ``list`` containing ``'script'``, ``'style'``, or both. + ``manifest-src`` + Set the ``manifest-src`` directive. A ``tuple`` or ``list``. *None* - Spec: require-sri-for-known-tokens_ + ``worker-src`` + Set the ``worker-src`` directive. A ``tuple`` or ``list``. *None* -``CSP_UPGRADE_INSECURE_REQUESTS`` - Include ``upgrade-insecure-requests`` directive. A ``boolean``. *False* + ``require-sri-for`` + Set the ``require-sri-for`` directive. A ``tuple`` or ``list``. *None* - Spec: upgrade-insecure-requests_ + Valid values: a ``list`` containing ``'script'``, ``'style'``, or both. -``CSP_REQUIRE_TRUSTED_TYPES_FOR`` - Include ``require-trusted-types-for`` directive. - A ``tuple`` or ``list``. *None* + Spec: require-sri-for-known-tokens_ - Valid values: ``["'script'"]`` + ``upgrade-insecure-requests`` + Include ``upgrade-insecure-requests`` directive. A ``boolean``. *False* -``CSP_TRUSTED_TYPES`` - Include ``trusted-types`` directive. - A ``tuple`` or ``list``. *None* + Spec: upgrade-insecure-requests_ - Valid values: a ``list`` of allowed policy names that may include - ``default`` and/or ``'allow-duplicates'`` + ``require-trusted-types-for`` + Include ``require-trusted-types-for`` directive. + A ``tuple`` or ``list``. *None* -``CSP_INCLUDE_NONCE_IN`` - Include dynamically generated nonce in all listed directives. - A ``tuple`` or ``list``, e.g.: ``CSP_INCLUDE_NONCE_IN = ['script-src']`` - will add ``'nonce-'`` to the ``script-src`` directive. - *['default-src']* + Valid values: ``["'script'"]`` + + ``trusted-types`` + Include ``trusted-types`` directive. + A ``tuple`` or ``list``. *None* + + Valid values: a ``list`` of allowed policy names that may include + ``default`` and/or ``'allow-duplicates'`` + + ``include-nonce-in`` + A ``tuple`` of directives to include a nonce in. *['default-src']* Any directive that is + included in this list will have a nonce value added to it of the form ``'nonce-{nonce-value}'``. + + Note: This is a bit of a "pseudo"-directive. It's not a real CSP directive as defined by the + spec, but it's used to determine which directives should include a nonce value. This is + useful for adding nonces to scripts and styles. + + Note: The nonce value will only be generated if ``request.csp_nonce`` is accessed during the + request/response cycle. - Note: The nonce value will only be generated if ``request.csp_nonce`` - is accessed during the request/response cycle. Deprecated CSP settings ----------------------- -The following settings are still configurable, but are considered deprecated +The following ``DIRECTIVES`` settings are still configurable, but are considered deprecated in terms of the latest implementation of the relevant spec. -``CSP_BLOCK_ALL_MIXED_CONTENT`` +``block-all-mixed-content`` Include ``block-all-mixed-content`` directive. A ``boolean``. *False* Related `note on MDN `_. @@ -165,8 +243,7 @@ in terms of the latest implementation of the relevant spec. Spec: block-all-mixed-content_ - -``CSP_PLUGIN_TYPES`` +``plugin-types`` Set the ``plugin-types`` directive. A ``tuple`` or ``list``. *None* Note: This doesn't use ``default-src`` as a fall-back. @@ -174,7 +251,7 @@ in terms of the latest implementation of the relevant spec. Related `note on MDN `_. -``CSP_PREFETCH_SRC`` +``prefetch-src`` Set the ``prefetch-src`` directive. A ``tuple`` or ``list``. *None* Related `note on MDN `_. @@ -187,31 +264,6 @@ The policy can be changed on a per-view (or even per-request) basis. See the :ref:`decorator documentation ` for more details. -Other Settings -============== - -These settings control the behavior of django-csp. Defaults are in -*italics*. - -``CSP_REPORT_ONLY`` - Send "report-only" headers instead of real headers. - A ``boolean``. *False* - - See the spec_ and the chapter on :ref:`reports ` for - more info. - -``CSP_EXCLUDE_URL_PREFIXES`` - A ``tuple`` (*not* a ``list``) of URL prefixes. URLs beginning with any - of these will not get the CSP headers. *()* - -.. warning:: - - Excluding any path on your site will eliminate the benefits of CSP - everywhere on your site. The typical browser security model for - JavaScript considers all paths alike. A Cross-Site Scripting flaw - on, e.g., ``excluded-page/`` can therefore be leveraged to access - everything on the same origin. - .. _Content-Security-Policy: https://www.w3.org/TR/CSP/ .. _Content-Security-Policy-L3: https://w3c.github.io/webappsec-csp/ .. _spec: Content-Security-Policy_ @@ -221,3 +273,4 @@ These settings control the behavior of django-csp. Defaults are in .. _block-all-mixed-content_mdn: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content .. _plugin_types_mdn: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/plugin-types .. _prefetch_src_mdn: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/prefetch-src +.. _strict-csp: https://csp.withgoogle.com/docs/strict-csp.html \ No newline at end of file diff --git a/docs/decorators.rst b/docs/decorators.rst index 3ba6183..6c36378 100644 --- a/docs/decorators.rst +++ b/docs/decorators.rst @@ -4,9 +4,8 @@ Modifying the Policy with Decorators ==================================== -Content Security Policies should be restricted and paranoid by default. -You may, on some views, need to expand or change the policy. django-csp -includes four decorators to help. +Content Security Policies should be restricted and paranoid by default. You may, on some views, +need to expand or change the policy. django-csp includes four decorators to help. ``@csp_exempt`` @@ -20,12 +19,17 @@ view. from csp.decorators import csp_exempt # Will not have a CSP header. - @csp_exempt + @csp_exempt() def myview(request): return render(...) -You can manually set this on a per-response basis by setting the -``_csp_exempt`` attribute on the response to ``True``:: + # Will not have a CSP report-only header. + @csp_exempt(REPORT_ONLY=True) + def myview(request): + return render(...) + +You can manually set this on a per-response basis by setting the ``_csp_exempt`` +or ``_csp_exempt_ro`` attribute on the response to ``True``:: # Also will not have a CSP header. def myview(request): @@ -37,28 +41,31 @@ You can manually set this on a per-response basis by setting the ``@csp_update`` =============== -The ``@csp_update`` header allows you to **append** values to the source -lists specified in the settings. If there is no setting, the value -passed to the decorator will be used verbatim. +The ``@csp_update`` header allows you to **append** values to the source lists specified in the +settings. If there is no setting, the value passed to the decorator will be used verbatim. .. note:: - To quote the CSP spec: "There's no inheritance; ... the default list - is not used for that resource type" if it is set. E.g., the following - will not allow images from 'self':: + To quote the CSP spec: "There's no inheritance; ... the default list is not used for that + resource type" if it is set. E.g., the following will not allow images from 'self':: default-src 'self'; img-src imgsrv.com -The arguments to the decorator the same as the :ref:`settings -` without the ``CSP_`` prefix, e.g. ``IMG_SRC``. -(They are also case-insensitive.) The values are either strings, lists -or tuples. +The arguments to the decorator are the same as the :ref:`settings `. The +decorator excpects a single dictionary argument, where the keys are the directives and the values +are either strings, lists or tuples. An optional argument, ``REPORT_ONLY``, can be set to ``True`` +to update the report-only policy instead of the enforced policy. :: from csp.decorators import csp_update - # Will allow images from imgsrv.com. - @csp_update(IMG_SRC='imgsrv.com') + # Will append imgsrv.com to the list of values for `img-src` in the enforced policy. + @csp_update({"img-src": "imgsrv.com"}) + def myview(request): + return render(...) + + # Will append cdn-img.com to the list of values for `img-src` in the report-only policy. + @csp_update({"img-src": "cdn-img.com"}, REPORT_ONLY=True) def myview(request): return render(...) @@ -66,18 +73,21 @@ or tuples. ``@csp_replace`` ================ -The ``@csp_replace`` decorator allows you to **replace** a source list -specified in settings. If there is no setting, the value passed to the -decorator will be used verbatim. (See the note under ``@csp_update``.) -If the specified value is None, the corresponding key will not be included. +The ``@csp_replace`` decorator allows you to **replace** a source list specified in settings. If +there is no setting, the value passed to the decorator will be used verbatim. (See the note under +``@csp_update``.) If the specified value is None, the corresponding key will not be included. The arguments and values are the same as ``@csp_update``:: from csp.decorators import csp_replace - # settings.CSP_IMG_SRC = ['imgsrv.com'] - # Will allow images from imgsrv2.com, but not imgsrv.com. - @csp_replace(IMG_SRC='imgsrv2.com') + # Will allow images only from imgsrv2.com in the enforced policy. + @csp_replace({"img-src": "imgsrv2.com"}) + def myview(request): + return render(...) + + # Will allow images only from cdn-img2.com in the report-only policy. + @csp_replace({"img-src": "imgsrv2.com"}) def myview(request): return render(...) @@ -85,13 +95,23 @@ The arguments and values are the same as ``@csp_update``:: ``@csp`` ======== -If you need to set the entire policy on a view, ignoring all the -settings, you can use the ``@csp`` decorator. The arguments and values -are as above:: +If you need to set the entire policy on a view, ignoring all the settings, you can use the ``@csp`` +decorator. This, and the other decorators, can be stacked to update both policies if both are in +use, as shown below. The arguments and values are as above:: from csp.decorators import csp - @csp(DEFAULT_SRC=["'self'"], IMG_SRC=['imgsrv.com'], - SCRIPT_SRC=['scriptsrv.com', 'googleanalytics.com']) + @csp({ + "default_src": ["'self'"], + "img-src": ["imgsrv.com"], + "script-src": ["scriptsrv.com", "googleanalytics.com", "'unsafe-inline'"]} + }) + @csp({ + "default_src": ["'self'"], + "img-src": ["imgsrv.com"], + "script-src": ["scriptsrv.com", "googleanalytics.com"]}, + "frame-src": ["'self'"], + REPORT_ONLY=True + }) def myview(request): return render(...) diff --git a/docs/nonce.rst b/docs/nonce.rst index 7bfb5f6..bdc6d57 100644 --- a/docs/nonce.rst +++ b/docs/nonce.rst @@ -1,9 +1,10 @@ ============================== Using the generated CSP nonce ============================== -When ``CSP_INCLUDE_NONCE_IN`` is configured, the nonce value is returned in the CSP headers **if it is used**, e.g. by evaluating the nonce in your template. -To actually make the browser do anything with this value, you will need to include it in the attributes of -the tags that you wish to mark as safe. +When ``include-nonce-in`` is configured, the nonce value is returned in the CSP headers **if it is +used**, e.g. by evaluating the nonce in your template. To actually make the browser do anything +with this value, you will need to include it in the attributes of the tags that you wish to mark as +safe. .. Note:: @@ -16,7 +17,8 @@ the tags that you wish to mark as safe. ``Middleware`` ============== -Installing the middleware creates a lazily evaluated property ``csp_nonce`` and attaches it to all incoming requests. +Installing the middleware creates a lazily evaluated property ``csp_nonce`` and attaches it to all +incoming requests. .. code-block:: python @@ -26,7 +28,8 @@ Installing the middleware creates a lazily evaluated property ``csp_nonce`` and #... ) -This value can be accessed directly on the request object in any view or template and manually appended to any script element like so - +This value can be accessed directly on the request object in any view or template and manually +appended to any script element like so - .. code-block:: html @@ -34,7 +37,8 @@ This value can be accessed directly on the request object in any view or templat var hello="world"; -Assuming the ``CSP_INCLUDE_NONCE_IN`` list contains the ``script-src`` directive, this will result in the above script being allowed. +Assuming the ``include-nonce-in`` list contains the ``script-src`` directive, this will result in +the above script being allowed. .. Note:: @@ -43,7 +47,10 @@ Assuming the ``CSP_INCLUDE_NONCE_IN`` list contains the ``script-src`` directive ``Context Processor`` ===================== -This library contains an optional context processor, adding ``csp.context_processors.nonce`` to your configured context processors exposes a variable called ``CSP_NONCE`` into the global template context. This is simple shorthand for ``request.csp_nonce``, but can be useful if you have many occurrences of script tags. +This library contains an optional context processor, adding ``csp.context_processors.nonce`` to your +configured context processors exposes a variable called ``CSP_NONCE`` into the global template +context. This is simple shorthand for ``request.csp_nonce``, but can be useful if you have many +occurrences of script tags. .. code-block:: jinja @@ -57,12 +64,18 @@ This library contains an optional context processor, adding ``csp.context_proces .. note:: - If you're making use of ``csp.extensions.NoncedScript`` you need to have ``jinja2>=2.9.6`` installed, so please make sure to either use ``django-csp[jinja2]`` in your requirements or define it yourself. + If you're making use of ``csp.extensions.NoncedScript`` you need to have ``jinja2>=2.9.6`` + installed, so please make sure to either use ``django-csp[jinja2]`` in your requirements or + define it yourself. -It can be easy to forget to include the ``nonce`` property in a script tag, so there is also a ``script`` template tag available for both Django templates and Jinja environments. +It can be easy to forget to include the ``nonce`` property in a script tag, so there is also a +``script`` template tag available for both Django templates and Jinja environments. -This tag will output a properly nonced script every time. For the sake of syntax highlighting, you can wrap the content inside of the ``script`` tag in ``