def test_replace_string(self):
"""
Demonstrate that GitHub issue #40 doesn't affect replacements
"""
policy = build_policy(replace={'img-src': 'example2.com'})
policy_eq("default-src 'self'; img-src example2.com",
policy)
def process_response(self, request, response):
if getattr(response, '_csp_exempt', False):
return response
# Check for ignored path prefix.
prefixes = getattr(settings, 'CSP_EXCLUDE_URL_PREFIXES', ('/admin', ))
if request.path_info.startswith(prefixes):
return response
# Check for debug view
status_code = response.status_code
if status_code == http_client.INTERNAL_SERVER_ERROR and settings.DEBUG:
return response
header = 'Content-Security-Policy'
if getattr(settings, 'CSP_REPORT_ONLY', False):
header += '-Report-Only'
if header in response:
# Don't overwrite existing headers.
return response
config = getattr(response, '_csp_config', None)
update = getattr(response, '_csp_update', None)
replace = getattr(response, '_csp_replace', None)
response[header] = build_policy(config=config,
update=update,
replace=replace)
return response
def test_replace_string():
"""
Demonstrate that GitHub issue #40 doesn't affect replacements
"""
policy = build_policy(replace={'img-src': 'example2.com'})
policy_eq("default-src 'self'; img-src example2.com",
policy)
def process_response(self, request, response):
if getattr(response, '_csp_exempt', False):
return response
# Check for ignored path prefix.
prefixes = getattr(settings, 'CSP_EXCLUDE_URL_PREFIXES', ('/admin',))
if request.path_info.startswith(prefixes):
return response
# Check for debug view
status_code = response.status_code
if status_code == http_client.INTERNAL_SERVER_ERROR and settings.DEBUG:
return response
header = 'Content-Security-Policy'
if getattr(settings, 'CSP_REPORT_ONLY', False):
header += '-Report-Only'
if header in response:
# Don't overwrite existing headers.
return response
config = getattr(response, '_csp_config', None)
update = getattr(response, '_csp_update', None)
replace = getattr(response, '_csp_replace', None)
response[header] = build_policy(config=config, update=update,
replace=replace)
return response
def build_policy(self, request, response):
config = getattr(response, '_csp_config', None)
update = getattr(response, '_csp_update', None)
replace = getattr(response, '_csp_replace', None)
nonce = getattr(request, '_csp_nonce', None)
return build_policy(config=config, update=update, replace=replace,
nonce=nonce)
def test_update_string():
"""
GitHub issue #40 - given project settings as a tuple, and
an update/replace with a string, concatenate correctly.
"""
policy = build_policy(update={'img-src': 'example2.com'})
policy_eq("default-src 'self'; img-src example.com example2.com", policy)
def build_policy(self, request, response):
config = getattr(response, '_csp_config', None)
update = getattr(response, '_csp_update', None)
replace = getattr(response, '_csp_replace', None)
nonce = getattr(request, '_csp_nonce', None)
return build_policy(config=config, update=update, replace=replace,
nonce=nonce)
def test_update_string(self):
"""
GitHub issue #40 - given project settings as a tuple, and
an update/replace with a string, concatenate correctly.
"""
policy = build_policy(update={'img-src': 'example2.com'})
policy_eq("default-src 'self'; img-src example.com example2.com",
policy)
def policy(request):
"""
Returns a valid policy-uri, as an alternative to putting the whole
policy in the header.
"""
policy = build_policy()
return HttpResponse(policy, mimetype='text/x-content-security-policy')
def build_policy(self, request, response):
config = getattr(response, '_csp_config', None)
update = getattr(response, '_csp_update', None)
replace = getattr(response, '_csp_replace', {})
nonce = getattr(request, '_csp_nonce', None)
report_percentage = getattr(settings, 'CSP_REPORT_PERCENTAGE')
include_report_uri = random.random() < report_percentage
if not include_report_uri:
replace['report-uri'] = None
return build_policy(config=config, update=update, replace=replace,
nonce=nonce)
def process_response(self, request, response):
if getattr(response, '_csp_exempt', False):
return response
# Check for ignored path prefix.
for prefix in getattr(settings, 'CSP_EXCLUDE_URL_PREFIXES', []):
if request.path_info.startswith(prefix):
return response
header = 'X-Content-Security-Policy'
if getattr(settings, 'CSP_REPORT_ONLY', False):
header = 'X-Content-Security-Policy-Report-Only'
if header in response:
# Don't overwrite existing headers.
return response
response[header] = build_policy()
return response
def process_response(self, request, response):
if getattr(response, '_csp_exempt', False):
return response
# Check for ignored path prefix.
for prefix in getattr(settings, 'CSP_EXCLUDE_URL_PREFIXES', []):
if request.path_info.startswith(prefix):
return response
header = 'X-Content-Security-Policy'
if getattr(settings, 'CSP_REPORT_ONLY', False):
header = 'X-Content-Security-Policy-Report-Only'
if header in response:
# Don't overwrite existing headers.
return response
response[header] = build_policy()
return response
def process_response(self, request, response):
if getattr(response, '_csp_exempt', False):
return response
# Check for ignored path prefix.
prefixes = getattr(settings, 'CSP_EXCLUDE_URL_PREFIXES', ('/admin',))
if request.path_info.startswith(prefixes):
return response
ua = request.META.get('HTTP_USER_AGENT', '')
webkit = 'webkit' in ua.lower()
header = 'X-WebKit-CSP' if webkit else 'X-Content-Security-Policy'
if getattr(settings, 'CSP_REPORT_ONLY', False):
header += '-Report-Only'
patch_vary_headers(response, ['User-Agent'])
if header in response:
# Don't overwrite existing headers.
return response
response[header] = build_policy()
return response
def test_script_src_elem():
policy = build_policy()
policy_eq("default-src 'self'; script-src-elem example.com", policy)
def test_update_img():
policy = build_policy(update={'img-src': 'example2.com'})
policy_eq("default-src 'self'; img-src example.com example2.com", policy)
def test_nonce():
policy = build_policy(nonce='abc123')
policy_eq("default-src 'self' 'nonce-abc123'", policy)
def test_nonce_include_in_absent():
del settings.CSP_INCLUDE_NONCE_IN
policy = build_policy(nonce='abc123')
policy_eq("default-src 'self' 'nonce-abc123'", policy)
def test_connect_src():
policy = build_policy()
policy_eq("default-src 'self'; connect-src example.com", policy)
def test_upgrade_insecure_requests():
policy = build_policy()
policy_eq("default-src 'self'; upgrade-insecure-requests", policy)
def test_sandbox(self):
policy = build_policy()
policy_eq("default-src 'self'; sandbox allow-scripts", policy)
def test_style_src():
policy = build_policy()
policy_eq("default-src 'self'; style-src example.com", policy)
def test_font_src(self):
policy = build_policy()
policy_eq("default-src 'self'; font-src example.com", policy)
def test_connect_src(self):
policy = build_policy()
policy_eq("default-src 'self'; connect-src example.com", policy)
def test_media_src(self):
policy = build_policy()
policy_eq("default-src 'self'; media-src example.com", policy)
def test_img_src(self):
policy = build_policy()
policy_eq("default-src 'self'; img-src example.com", policy)
def test_style_src(self):
policy = build_policy()
policy_eq("default-src 'self'; style-src example.com", policy)
def test_replace_missing_setting():
"""replace should work even if the setting is not defined."""
policy = build_policy(replace={'img-src': 'example.com'})
policy_eq("default-src 'self'; img-src example.com", policy)
def test_sandbox_empty(self):
policy = build_policy()
policy_eq("default-src 'self'; sandbox ", policy)
def test_default_src(self):
policy = build_policy()
eq_('default-src example.com example2.com', policy)
def test_report_uri(self):
policy = build_policy()
policy_eq("default-src 'self'; report-uri /foo", policy)
def test_media_src():
policy = build_policy()
policy_eq("default-src 'self'; media-src example.com", policy)
def test_update_img(self):
policy = build_policy(update={'img-src': 'example2.com'})
policy_eq("default-src 'self'; img-src example.com example2.com",
policy)
def test_config(self):
policy = build_policy(
config={'default-src': ["'none'"], 'img-src': ["'self'"]})
policy_eq("default-src 'none'; img-src 'self'", policy)
def test_replace_img(self):
policy = build_policy(replace={'img-src': 'example2.com'})
policy_eq("default-src 'self'; img-src example2.com", policy)
def test_block_all_mixed_content():
policy = build_policy()
policy_eq("default-src 'self'; block-all-mixed-content", policy)
def test_replace_missing_setting(self):
"""replace should work even if the setting is not defined."""
policy = build_policy(replace={'img-src': 'example.com'})
policy_eq("default-src 'self'; img-src example.com", policy)
def test_nonce_include_in():
policy = build_policy(nonce='abc123')
policy_eq(("default-src 'self'; "
"script-src 'nonce-abc123'; "
"style-src 'nonce-abc123'"), policy)
def test_frame_src():
policy = build_policy()
policy_eq("default-src 'self'; frame-src example.com", policy)
def test_script_src_attr():
policy = build_policy()
policy_eq("default-src 'self'; script-src-attr example.com", policy)
def test_empty_policy():
policy = build_policy()
assert "default-src 'self'" == policy
def test_prefetch_src():
policy = build_policy()
policy_eq("default-src 'self'; prefetch-src example.com", policy)
def test_form_action():
policy = build_policy()
policy_eq("default-src 'self'; form-action example.com", policy)
def test_replace_img():
policy = build_policy(replace={'img-src': 'example2.com'})
policy_eq("default-src 'self'; img-src example2.com", policy)
def test_frame_ancestors():
policy = build_policy()
policy_eq("default-src 'self'; frame-ancestors example.com", policy)
def test_config():
policy = build_policy(config={
'default-src': ["'none'"],
'img-src': ["'self'"]
})
policy_eq("default-src 'none'; img-src 'self'", policy)
def test_empty_policy(self):
policy = build_policy()
eq_("default-src 'self'", policy)
def test_child_src():
policy = build_policy()
policy_eq("default-src 'self'; child-src example.com", policy)
def test_object_src():
policy = build_policy()
policy_eq("default-src 'self'; object-src example.com", policy)
def test_base_uri():
policy = build_policy()
policy_eq("default-src 'self'; base-uri example.com", policy)
def test_sandbox_empty():
policy = build_policy()
policy_eq("default-src 'self'; sandbox ", policy)
def test_default_src():
policy = build_policy()
assert 'default-src example.com example2.com' == policy
def test_base_uri():
policy = build_policy()
policy_eq("default-src 'self'; base-uri example.com", policy)
def test_img_src():
policy = build_policy()
policy_eq("default-src 'self'; img-src example.com", policy)
def test_script_src():
policy = build_policy()
policy_eq("default-src 'self'; script-src example.com", policy)
def test_font_src():
policy = build_policy()
policy_eq("default-src 'self'; font-src example.com", policy)
def test_default_src():
policy = build_policy()
assert 'default-src example.com example2.com' == policy
def test_sandbox():
policy = build_policy()
policy_eq("default-src 'self'; sandbox allow-scripts", policy)
def test_frame_ancestors():
policy = build_policy()
policy_eq("default-src 'self'; frame-ancestors example.com", policy)
def test_report_uri_lazy():
policy = build_policy()
policy_eq("default-src 'self'; report-uri /foo", policy)
def test_form_action():
policy = build_policy()
policy_eq("default-src 'self'; form-action example.com", policy)
