Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow reading nonce if it was included in header #269

Merged
merged 3 commits into from
Feb 28, 2025
Merged

Allow reading nonce if it was included in header #269

merged 3 commits into from
Feb 28, 2025
+127 −12

Conversation

jwhitlock
Copy link
Member

@jwhitlock jwhitlock commented Feb 24, 2025
edited
Loading

If the nonce was generated before the CSP headers were set, then allow reading it with request.csp_nonce.

If the CSP headers were set with no nonce, then continue raising CSPNonceError when reading it as a string. If read as a boolean (if request.csp_nonce), then return False.

This will allow other middleware like django-debug-toolbar to alter the response after the CSP middleware runs, fixing #268.

@jwhitlock
Allow reading nonce if it was included in header
9302734 
If the nonce was generated before the CSP headers were set, then allow
reading it with request.csp_nonce.

If the CSP headers were set with no nonce, then continue raising
CSPNonceError when reading it as a string. If read as a boolean, then
return False.

This will allow other middleware like django-debug-toolbar to alter the
response after the CSP middleware runs.
@jwhitlock jwhitlock mentioned this pull request Feb 24, 2025
Open
robhudson
robhudson reviewed Feb 27, 2025
View reviewed changes
jwhitlock
jwhitlock commented Feb 27, 2025
View reviewed changes
Copy link
Member Author

@jwhitlock jwhitlock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @robhudson, I'll add some docs. And maybe another middleware that always generates the nonce...

@jwhitlock
Add CSPMiddlewareAlwaysGenerateNonce
069f72b 
This variant middleware always generates the nonce. This is useful when
a process that runs after the middleware needs the nonce.

One example is the middleware used by django-debug-toolbar (DDT). It
needs to be defined early in the MIDDLEWARE list that it can inject
HTML, CSS, and JavaScript after the response has been generated. DDT
users could use this middleware to ensure the CSP nonce is always
available for its asset.
@jwhitlock
Copy link
Member Author

I added a commit:

  • I added CSPMiddlewareAlwaysGenerateNonce, which is like CSPMiddleware, except it always generates a nonce. This could be used when using django-debug-toolbar or similar middlewares.
  • I updated nonce.rst with the new behavior of request.csp_nonce, and when to use CSPMiddlewareAlwaysGenerateNonce or other method.
  • I updated installation.rst to refer to nonce.rst for more complex init.

I meant to do this over two commits, git fail 🤦

@robhudson
Copy link
Member

The CSPMiddlewareAlwaysGenerateNonce gave me pause. But I think some would rather use that in certain situations. The nonce would be added to the header even if not used in the content. I can't see any security implications for this. I actually think this is the generally expected functionality. I think it not being in the header if not used causes some confusion, although I believe it's a nice feature.

I like these changes.

@jwhitlock jwhitlock merged commit bc067da into mozilla:main Feb 28, 2025
8 checks passed
@jwhitlock jwhitlock deleted the retain-set-nonce-268 branch February 28, 2025 21:00
@robhudson robhudson mentioned this pull request Mar 1, 2025
Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@robhudson robhudson robhudson approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jwhitlock @robhudson