GH 36

CHANGES

@@ -10,6 +10,9 @@ Next
 - Drop support for EOL Python <3.6 and Django <2.2 versions
 - Rename default branch to main
 - Fix capturing brackets in script template tags
+- Add support for multiple content security policies
+- Deprecate single policy settings.  Policies are now
+  configured through two settings: CSP_POLICIES and CSP_POLICY_DEFINITIONS.
 
 3.7
 ===

csp/conf/__init__.py

@@ -0,0 +1,26 @@
+from . import defaults
+
+
+DIRECTIVES = set(defaults.POLICY)
+PSEUDO_DIRECTIVES = {d for d in DIRECTIVES if '_' in d}
+
+
+def setting_to_directive(setting, value, prefix='CSP_'):
+    setting = setting[len(prefix):].lower()
+    if setting not in PSEUDO_DIRECTIVES:
+        setting = setting.replace('_', '-')
+    assert setting in DIRECTIVES
+    if isinstance(value, str):
+        value = [value]
+    return setting, value
+
+
+def directive_to_setting(directive, prefix='CSP_'):
+    setting = '{}{}'.format(
+        prefix,
+        directive.replace('-', '_').upper()
+    )
+    return setting
+
+
+LEGACY_KWARGS = {directive_to_setting(d, prefix='') for d in DIRECTIVES}

csp/conf/defaults.py

@@ -0,0 +1,44 @@
+POLICIES = ('default',)
+
+POLICY = {
+    # Fetch Directives
+    'child-src': None,
+    'connect-src': None,
+    'default-src': ("'self'",),
+    'script-src': None,
+    'script-src-attr': None,
+    'script-src-elem': None,
+    'object-src': None,
+    'style-src': None,
+    'style-src-attr': None,
+    'style-src-elem': None,
+    'font-src': None,
+    'frame-src': None,
+    'img-src': None,
+    'manifest-src': None,
+    'media-src': None,
+    'prefetch-src': None,
+    'worker-src': None,
+    # Document Directives
+    'base-uri': None,
+    'plugin-types': None,
+    'sandbox': None,
+    # Navigation Directives
+    'form-action': None,
+    'frame-ancestors': None,
+    'navigate-to': None,
+    # Reporting Directives
+    'report-uri': None,
+    'report-to': None,
+    'require-sri-for': None,
+    # Trusted Types Directives
+    'require-trusted-types-for': None,
+    'trusted-types': None,
+    # Other Directives
+    'upgrade-insecure-requests': False,
+    'block-all-mixed-content': False,
+    # Pseudo Directives
+    'report_only': False,
+    'include_nonce_in': ('default-src',),
+    'exclude_url_prefixes': (),
+}

csp/conf/deprecation.py

@@ -0,0 +1,51 @@
+import warnings
+
+from django.conf import settings
+from django.core.exceptions import ImproperlyConfigured
+
+from . import (
+    setting_to_directive,
+    directive_to_setting,
+    DIRECTIVES,
+)
+
+
+LEGACY_SETTINGS_NAMES_DEPRECATION_WARNING = (
+    'The following settings are deprecated: %s. '
+    'Use CSP_POLICY_DEFINITIONS and CSP_POLICIES instead.'
+)
+
+
+_LEGACY_SETTINGS = {
+    directive_to_setting(directive) for directive in DIRECTIVES
+}
+
+
+def _handle_legacy_settings(csp, allow_legacy):
+    """
+    Custom defaults allow you to set values for csp directives
+    that will apply to all CSPs defined in CSP_DEFINITIONS, avoiding
+    repetition and allowing custom default values.
+    """
+    legacy_names = (
+        _LEGACY_SETTINGS
+        & set(s for s in dir(settings) if s.startswith('CSP_'))
+    )
+    if not legacy_names:
+        return
+
+    if not allow_legacy:
+        raise ImproperlyConfigured(
+            "Settings CSP_POLICY_DEFINITIONS is not allowed with following "
+            "deprecated settings: %s" % ", ".join(legacy_names)
+        )
+
+    warnings.warn(
+        LEGACY_SETTINGS_NAMES_DEPRECATION_WARNING % ', '.join(legacy_names),
+        DeprecationWarning,
+    )
+    legacy_csp = (
+        setting_to_directive(name, value=getattr(settings, name))
+        for name in legacy_names if name not in csp
+    )
+    csp.update(legacy_csp)

csp/decorators.py

@@ -1,4 +1,11 @@
 from functools import wraps
+from itertools import chain
+
+from .utils import (
+    get_declared_policies,
+    _policies_from_args_and_kwargs,
+    _policies_from_names_and_kwargs,
+)
 
 
 def csp_exempt(f):
@@ -10,8 +17,25 @@ def _wrapped(*a, **kw):
     return _wrapped
 
 
-def csp_update(**kwargs):
-    update = dict((k.lower().replace('_', '-'), v) for k, v in kwargs.items())
+def csp_select(*names):
+    """
+    Trim or add additional named policies.
+    """
+    def decorator(f):
+        @wraps(f)
+        def _wrapped(*a, **kw):
+            r = f(*a, **kw)
+            r._csp_select = names
+            return r
+        return _wrapped
+    return decorator
+
+
+def csp_update(csp_names=('default',), **kwargs):
+    update = _policies_from_names_and_kwargs(
+        csp_names,
+        kwargs,
+    )
 
     def decorator(f):
         @wraps(f)
@@ -23,8 +47,11 @@ def _wrapped(*a, **kw):
     return decorator
 
 
-def csp_replace(**kwargs):
-    replace = dict((k.lower().replace('_', '-'), v) for k, v in kwargs.items())
+def csp_replace(csp_names=('default',), **kwargs):
+    replace = _policies_from_names_and_kwargs(
+        csp_names,
+        kwargs,
+    )
 
     def decorator(f):
         @wraps(f)
@@ -36,12 +63,43 @@ def _wrapped(*a, **kw):
     return decorator
 
 
-def csp(**kwargs):
-    config = dict(
-        (k.lower().replace('_', '-'), [v] if isinstance(v, str) else v)
-        for k, v
-        in kwargs.items()
-    )
+def csp_append(*args, **kwargs):
+    append = _policies_from_args_and_kwargs(args, kwargs)
+
+    def decorator(f):
+        @wraps(f)
+        def _wrapped(*a, **kw):
+            r = f(*a, **kw)
+            # TODO: these decorators would interact more smoothly and
+            # be more performant if we recorded the result on the function.
+            if hasattr(r, "_csp_config"):
+                r._csp_config.update({
+                    name: policy for name, policy in append.items()
+                    if name not in r._csp_config
+                })
+                select = getattr(r, "_csp_select", None)
+                if select:
+                    select = list(select)
+                    r._csp_select = tuple(chain(
+                        select,
+                        (name for name in append if name not in select),
+                    ))
+            else:
+                r._csp_config = append
+                select = getattr(r, "_csp_select", None)
+                if not select:
+                    select = get_declared_policies()
+                r._csp_select = tuple(chain(
+                    select,
+                    (name for name in append if name not in select),
+                ))
+            return r
+        return _wrapped
+    return decorator
+
+
+def csp(*args, **kwargs):
+    config = _policies_from_args_and_kwargs(args, kwargs)
 
     def decorator(f):
         @wraps(f)

csp/middleware.py

@@ -2,28 +2,16 @@
 
 import os
 import base64
+from collections import defaultdict
 from functools import partial
 
 from django.conf import settings
+from django.utils.deprecation import MiddlewareMixin
 from django.utils.functional import SimpleLazyObject
 
-try:
-    from django.utils.six.moves import http_client
-except ImportError:
-    # django 3.x removed six
-    import http.client as http_client
-
-try:
-    from django.utils.deprecation import MiddlewareMixin
-except ImportError:
-    class MiddlewareMixin(object):
-        """
-        If this middleware doesn't exist, this is an older version of django
-        and we don't need it.
-        """
-        pass
-
-from csp.utils import build_policy
+from .utils import (
+    build_policy, EXEMPTED_DEBUG_CODES, HTTP_HEADERS,
+)
 
 
 class CSPMiddleware(MiddlewareMixin):
@@ -54,36 +42,43 @@ def process_response(self, request, response):
         if getattr(response, '_csp_exempt', False):
             return response
 
-        # Check for ignored path prefix.
-        prefixes = getattr(settings, 'CSP_EXCLUDE_URL_PREFIXES', ())
-        if request.path_info.startswith(prefixes):
-            return response
-
         # Check for debug view
-        status_code = response.status_code
-        exempted_debug_codes = (
-            http_client.INTERNAL_SERVER_ERROR,
-            http_client.NOT_FOUND,
-        )
-        if status_code in exempted_debug_codes and settings.DEBUG:
+        if response.status_code in EXEMPTED_DEBUG_CODES and settings.DEBUG:
             return response
 
-        header = 'Content-Security-Policy'
-        if getattr(settings, 'CSP_REPORT_ONLY', False):
-            header += '-Report-Only'
-
-        if header in response:
+        existing_headers = {
+            header for header in HTTP_HEADERS if header in response
+        }
+        if len(existing_headers) == len(HTTP_HEADERS):
             # Don't overwrite existing headers.
             return response
 
-        response[header] = self.build_policy(request, response)
-
+        headers = defaultdict(list)
+        path_info = request.path_info
+
+        for csp, report_only, exclude_prefixes in self.build_policy(
+            request, response,
+        ):
+            # Check for ignored path prefix.
+            for prefix in exclude_prefixes:
+                if path_info.startswith(prefix):
+                    break
+            else:
+                header = HTTP_HEADERS[int(report_only)]
+                if header in existing_headers:  # don't overwrite
+                    continue
+                headers[header].append(csp)
+
+        for header, policies in headers.items():
+            response[header] = '; '.join(policies)
         return response
 
     def build_policy(self, request, response):
-        config = getattr(response, '_csp_config', None)
-        update = getattr(response, '_csp_update', None)
-        replace = getattr(response, '_csp_replace', None)
-        nonce = getattr(request, '_csp_nonce', None)
-        return build_policy(config=config, update=update, replace=replace,
-                            nonce=nonce)
+        build_kwargs = {
+            key: getattr(response, '_csp_%s' % key, None)
+            for key in ('config', 'update', 'replace', 'select')
+        }
+        return build_policy(
+            nonce=getattr(request, '_csp_nonce', None),
+            **build_kwargs,
+        )

csp/tests/settings.py

@@ -1,9 +1,14 @@
 import django
 
 
-CSP_REPORT_ONLY = False
-
-CSP_INCLUDE_NONCE_IN = ['default-src']
+CSP_POLICY_DEFINITIONS = {
+    'default': {
+        'report_only': False,
+    },
+    'report': {
+        'report_only': True,
+    },
+}
 
 DATABASES = {
     'default': {