You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After updating to 4.0b2, configuration values stored as tuple are silently ignored.
We use a security scanner (zap) which had started failing due to missing CSP headers. The docs mention that Many settings require a tuple or list. You may get very strange policies and even errors when mistakenly configuring them as a string.
After migrating to 4.0-compatible configuration, all of our values were tuple - changing them to list caused the header to appear again (this commit)
Suggestions
It'd be nice if incorrect configuration failed explicitly, rather than effectively skipping CSP. It's hard to notice the missing CSP header without a scanner, and it was difficult to debug why it wasn't being added. This was also how we noticed we needed to change our config for 4.0 - the security scanner caught it; our app ran without exception.
Re-support tuple or drop support for it from the documentation. All examples and tests appear to expect lists, anyway 🤷
This is low priority for us personally since we've figured it out and made the change, but I figured I'd bring this to your attention since it can silently disable CSP for config that conforms to the docs 😅
The text was updated successfully, but these errors were encountered:
In the middleware this value gets cast to a tuple for checking if the request path starts with a value defined in EXCLUDE_URL_PREFIXES. Since this came through as a string, it was essentially testing that these values matched the request path:
Since the first one / matches pretty much all paths, the CSP header was then excluded.
If this settings value was converted to a tuple everything else works as expected.
It'd be nice if incorrect configuration failed explicitly, rather than effectively skipping CSP.
I agree. We could likely add a check to ensure this particular setting is a tuple or a list because as a string it will definitely "get very strange policies and even errors". :)
Thanks for the report!
robhudson
changed the title
tuple no longer supported
Explicitly fail if EXCLUDE_URL_PREFIXES is a string
Dec 4, 2024
Context
After updating to
4.0b2
, configuration values stored astuple
are silently ignored.We use a security scanner (zap) which had started failing due to missing CSP headers. The docs mention that
Many settings require a tuple or list. You may get very strange policies and even errors when mistakenly configuring them as a string.
After migrating to 4.0-compatible configuration, all of our values were
tuple
- changing them tolist
caused the header to appear again (this commit)Suggestions
This is low priority for us personally since we've figured it out and made the change, but I figured I'd bring this to your attention since it can silently disable CSP for config that conforms to the docs 😅
The text was updated successfully, but these errors were encountered: