Skip to content

Allow reading nonce if it was included in header#269

Merged
jwhitlock merged 3 commits intomozilla:mainfrom
jwhitlock:retain-set-nonce-268
Feb 28, 2025
Merged

Allow reading nonce if it was included in header#269
jwhitlock merged 3 commits intomozilla:mainfrom
jwhitlock:retain-set-nonce-268

Conversation

@jwhitlock
Copy link
Copy Markdown
Contributor

@jwhitlock jwhitlock commented Feb 24, 2025
edited
Loading

If the nonce was generated before the CSP headers were set, then allow reading it with request.csp_nonce.

If the CSP headers were set with no nonce, then continue raising CSPNonceError when reading it as a string. If read as a boolean (if request.csp_nonce), then return False.

This will allow other middleware like django-debug-toolbar to alter the response after the CSP middleware runs, fixing #268.

@jwhitlock
Allow reading nonce if it was included in header
9302734 
If the nonce was generated before the CSP headers were set, then allow
reading it with request.csp_nonce.

If the CSP headers were set with no nonce, then continue raising
CSPNonceError when reading it as a string. If read as a boolean, then
return False.

This will allow other middleware like django-debug-toolbar to alter the
response after the CSP middleware runs.
@jwhitlock jwhitlock mentioned this pull request Feb 24, 2025
Closed
robhudson
robhudson reviewed Feb 27, 2025
View reviewed changes
Comment thread csp/middleware.py
Comment thread csp/middleware.py
jwhitlock
jwhitlock commented Feb 27, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor Author

@jwhitlock jwhitlock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @robhudson, I'll add some docs. And maybe another middleware that always generates the nonce...

Comment thread csp/middleware.py
Comment thread csp/middleware.py
Comment thread csp/tests/test_middleware.py
Comment thread csp/tests/test_middleware.py
@jwhitlock
Add CSPMiddlewareAlwaysGenerateNonce
069f72b 
This variant middleware always generates the nonce. This is useful when
a process that runs after the middleware needs the nonce.

One example is the middleware used by django-debug-toolbar (DDT). It
needs to be defined early in the MIDDLEWARE list that it can inject
HTML, CSS, and JavaScript after the response has been generated. DDT
users could use this middleware to ensure the CSP nonce is always
available for its asset.
@jwhitlock
Copy link
Copy Markdown
Contributor Author

jwhitlock commented Feb 27, 2025

I added a commit:

  • I added CSPMiddlewareAlwaysGenerateNonce, which is like CSPMiddleware, except it always generates a nonce. This could be used when using django-debug-toolbar or similar middlewares.
  • I updated nonce.rst with the new behavior of request.csp_nonce, and when to use CSPMiddlewareAlwaysGenerateNonce or other method.
  • I updated installation.rst to refer to nonce.rst for more complex init.

I meant to do this over two commits, git fail 🤦

@robhudson
Copy link
Copy Markdown
Collaborator

robhudson commented Feb 27, 2025

The CSPMiddlewareAlwaysGenerateNonce gave me pause. But I think some would rather use that in certain situations. The nonce would be added to the header even if not used in the content. I can't see any security implications for this. I actually think this is the generally expected functionality. I think it not being in the header if not used causes some confusion, although I believe it's a nice feature.

I like these changes.

@jwhitlock jwhitlock merged commit bc067da into mozilla:main Feb 28, 2025
@jwhitlock jwhitlock deleted the retain-set-nonce-268 branch February 28, 2025 21:00
@robhudson robhudson mentioned this pull request Mar 1, 2025
Merged
2 tasks
@jwhitlock jwhitlock mentioned this pull request Mar 5, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@robhudson robhudson robhudson approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jwhitlock @robhudson