Fixed #15727 -- Added Content Security Policy (CSP) support.

This initial work adds a pair of settings to configure specific CSP directives for enforcing or reporting policy violations, a new `django.middleware.csp.ContentSecurityPolicyMiddleware` to apply the appropriate headers to responses, and a context processor to support CSP nonces in templates for safely inlining assets. Relevant documentation has been added for the 6.0 release notes, security overview, a new how-to page, and a dedicated reference section. Thanks to the multiple reviewers for their precise and valuable feedback. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2025-10-26 07:06:08 +00:00 · 2025-05-03 10:01:58 -07:00
parent 3f59711581
commit d63241ebc7
26 changed files with 1192 additions and 1 deletions
--- a/tests/context_processors/tests.py
+++ b/tests/context_processors/tests.py
@@ -2,7 +2,8 @@
 Tests for Django's bundled context processors.
 """

-from django.test import SimpleTestCase, TestCase, override_settings
+from django.test import SimpleTestCase, TestCase, modify_settings, override_settings
+from django.utils.csp import CSP


@override_settings(
@@ -96,3 +97,65 @@ class DebugContextProcessorTests(TestCase):
        self.assertContains(response, "Third query list: 2")
        # Check queries for DB connection 'other'
        self.assertContains(response, "Fourth query list: 3")
+
+
+@override_settings(
+    ROOT_URLCONF="context_processors.urls",
+    TEMPLATES=[
+        {
+            "BACKEND": "django.template.backends.django.DjangoTemplates",
+            "APP_DIRS": True,
+            "OPTIONS": {
+                "context_processors": [
+                    "django.template.context_processors.csp",
+                ],
+            },
+        }
+    ],
+    MIDDLEWARE=[
+        "django.middleware.csp.ContentSecurityPolicyMiddleware",
+    ],
+    SECURE_CSP={
+        "script-src": [CSP.SELF, CSP.NONCE],
+    },
+)
+class CSPContextProcessorTests(TestCase):
+    """
+    Tests for the django.template.context_processors.csp_nonce processor.
+    """
+
+    def test_csp_nonce_in_context(self):
+        response = self.client.get("/csp_nonce/")
+        self.assertIn("csp_nonce", response.context)
+
+    @modify_settings(
+        MIDDLEWARE={"remove": "django.middleware.csp.ContentSecurityPolicyMiddleware"}
+    )
+    def test_csp_nonce_in_context_no_middleware(self):
+        response = self.client.get("/csp_nonce/")
+        self.assertIn("csp_nonce", response.context)
+
+    def test_csp_nonce_in_header(self):
+        response = self.client.get("/csp_nonce/")
+        self.assertIn(CSP.HEADER_ENFORCE, response.headers)
+        csp_header = response.headers[CSP.HEADER_ENFORCE]
+        nonce = response.context["csp_nonce"]
+        self.assertIn(f"'nonce-{nonce}'", csp_header)
+
+    def test_different_nonce_per_request(self):
+        response1 = self.client.get("/csp_nonce/")
+        response2 = self.client.get("/csp_nonce/")
+        self.assertNotEqual(
+            response1.context["csp_nonce"],
+            response2.context["csp_nonce"],
+        )
+
+    def test_csp_nonce_in_template(self):
+        response = self.client.get("/csp_nonce/")
+        nonce = response.context["csp_nonce"]
+        self.assertIn(f'<script nonce="{nonce}">', response.text)
+
+    def test_csp_nonce_length(self):
+        response = self.client.get("/csp_nonce/")
+        nonce = response.context["csp_nonce"]
+        self.assertEqual(len(nonce), 22)  # Based on secrets.token_urlsafe of 16 bytes.