Fixed #15727 -- Added Content Security Policy (CSP) support.

This initial work adds a pair of settings to configure specific CSP directives for enforcing or reporting policy violations, a new `django.middleware.csp.ContentSecurityPolicyMiddleware` to apply the appropriate headers to responses, and a context processor to support CSP nonces in templates for safely inlining assets. Relevant documentation has been added for the 6.0 release notes, security overview, a new how-to page, and a dedicated reference section. Thanks to the multiple reviewers for their precise and valuable feedback. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2025-10-25 22:56:12 +00:00 · 2025-05-03 10:01:58 -07:00
parent 3f59711581
commit d63241ebc7
26 changed files with 1192 additions and 1 deletions
--- a/tests/middleware/views.py
+++ b/tests/middleware/views.py
@@ -1,6 +1,12 @@
+import json
+import sys
+
 from django.http import HttpResponse
+from django.middleware.csp import get_nonce
 from django.utils.decorators import method_decorator
+from django.views.debug import technical_500_response
 from django.views.decorators.common import no_append_slash
+from django.views.decorators.csrf import csrf_exempt
 from django.views.generic import View


@@ -17,3 +23,25 @@ def sensitive_fbv(request, *args, **kwargs):
 class SensitiveCBV(View):
    def get(self, *args, **kwargs):
        return HttpResponse()
+
+
+def csp_nonce(request):
+    return HttpResponse(get_nonce(request))
+
+
+def csp_500(request):
+    try:
+        raise Exception
+    except Exception:
+        return technical_500_response(request, *sys.exc_info())
+
+
+csp_reports = []
+
+
+@csrf_exempt
+def csp_report_view(request):
+    if request.method == "POST":
+        data = json.loads(request.body)
+        csp_reports.append(data)
+    return HttpResponse(status=204)