-
Notifications
You must be signed in to change notification settings - Fork 106
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GH 36 #179
GH 36 #179
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Notes for finishing up.
csp/utils.py
Outdated
) | ||
# Technically we're modifying Django settings here, | ||
# but it shouldn't matter since the end result of either will be the same | ||
deprecation._handle_legacy_settings(custom_definitions) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Design Decision: Should we call _handle_legacy_settings based on whether the user has set CSP_POLICY_DEFINITIONS? i.e. only use the legacy settings if the new settings aren't used.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is probably best, but it require updating a whack-ton of tests, so maybe it could come in a separate PR.
csp/middleware.py
Outdated
headers[header].append(csp) | ||
|
||
for header, policies in headers.items(): | ||
# TODO: Design Decision do we want the optional whitespace? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Design Decision: do we want the optional whitespace? (See convo on issue)
csp/middleware.py
Outdated
# Don't overwrite existing headers. | ||
return response | ||
|
||
response[header] = self.build_policy(request, response) | ||
# These won't be ordered properly on Cpython 3.5 or below |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove October 2020 comments and OrderedDict (not supporting python 3.5 anymore?)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
csp/decorators.py
Outdated
@@ -10,8 +18,26 @@ def _wrapped(*a, **kw): | |||
return _wrapped | |||
|
|||
|
|||
def csp_update(**kwargs): | |||
update = dict((k.lower().replace('_', '-'), v) for k, v in kwargs.items()) | |||
def csp_reorder(order): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Big thing left to do is clarify how the decorators should work and write tests for them.
setup.cfg
Outdated
@@ -2,6 +2,6 @@ | |||
universal = 1 | |||
|
|||
[tool:pytest] | |||
addopts = -vs --tb=short --pep8 --flakes | |||
addopts = -vs --tb=short --pep8 --flakes --ignore docs/conf.py |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure what I was doing here: addopts = -vs --tb=short --pep8 --flakes --ignore docs/conf.py
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Update docs
csp/utils.py
Outdated
if not isinstance(v, (list, tuple)): | ||
v = (v,) | ||
csp[k] = v | ||
# TODO: design decision |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Design Decision: Do we need this append functionality or should we just error out if the policy we're updating doesn't exist? I guess the issue is handling legacy calls?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've simplified this significantly. csp_update and csp_replace no longer support appending. I added a new csp_append decorator, but not sure if it's desirable.
Design Decision: csp_update and csp_append using the old capitalized kwarg style only apply to the "default" policy by default, do we want them to apply to all policies? I think not because it could be a surprise that bites someone.
- Refactor settings
…lect decorators
mw = CSPMiddleware(response()) | ||
rf = RequestFactory() | ||
|
||
|
||
def get_headers(response): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Move get_headers to csp/tests/utils.py
|
||
``CSP_POLICIES`` | ||
A list or tuple specifying which definitions will be applied by default and | ||
defining an order on those policies. *['default']* |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Order doesn't really matter I think, remove from docs on CSP_POLICIES
…/csp_select decorators
…/csp_select decorators
…/csp_select decorators
…CY_DEFINITIONS
Closing old PR. #219 has been merged which fixes this same issue. Thank you! |
refs: #36
Making a WIP PR, so I can start looking at it without adding Dylan's fork as a remote.