#37084: Add system check for CSP nonce policy without csp context processor
--------------------------------------+------------------------------------
Reporter: Rob Hudson | Owner: (none)
Type: New feature | Status: new
Component: Core (System checks) | Version: 6.0
Severity: Normal | Resolution:
Keywords: csp nonce | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
Changes (by Natalia Bidart):
* keywords: => csp nonce
* stage: Unreviewed => Accepted
Old description:
> When a project enables `ContentSecurityPolicyMiddleware` and includes
> `CSP.NONCE` in its policy, but does not configure the
> `django.template.context_processors.csp` context processor in
> `TEMPLATES`, the result is a silent security misconfiguration. The
> developer has the security of a non-nonce policy while believing they
> have nonce-based protection.
>
> Proposed check:
>
> Register a new security check that emits a Warning (or Error) when all of
> the following hold:
> 1. `django.middleware.csp.ContentSecurityPolicyMiddleware` is in the
> middleware
> 2. At least one configured policy contains `CSP.NONCE` as a source value
> 3. No Django template engine in `TEMPLATES` lists
> `django.template.context_processors.csp`
>
> Possible message:
> Your CSP policy includes `CSP.NONCE` and
> `ContentSecurityPolicyMiddleware` is enabled, but the
> `django.template.context_processors.csp context processor` is not
> configured. The nonce will appear in the response header but not in
> rendered templates, so nonce-based protection will not take effect. Add
> "django.template.context_processors.csp" to the context_processors option
> of at least one Django template engine.
New description:
When a project enables `ContentSecurityPolicyMiddleware` and includes
`CSP.NONCE` in its policy, but does not configure the
`django.template.context_processors.csp` context processor in `TEMPLATES`,
the result is a silent security misconfiguration. The developer has the
security of a non-nonce policy while believing they have nonce-based
protection.
Proposed check:
Register a new security check that emits a Warning (or Error) when all of
the following hold:
1. `django.middleware.csp.ContentSecurityPolicyMiddleware` is in the
middleware
2. At least one configured policy contains `CSP.NONCE` as a source value
3. No Django template engine in `TEMPLATES` lists
`django.template.context_processors.csp`
Possible message:
Your CSP policy includes `CSP.NONCE` and `ContentSecurityPolicyMiddleware`
is enabled, but the `django.template.context_processors.csp` context
processor is not configured. The nonce will appear in the response header
but not in rendered templates, so nonce-based protection will not take
effect. Add "django.template.context_processors.csp" to the
context_processors option of at least one Django template engine.
--
Comment:
Thank you Rob!
--
Ticket URL: <https://code.djangoproject.com/ticket/37084#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/0107019df980af17-b9138c4d-4da3-4c49-9d05-22c921d38a11-000000%40eu-central-1.amazonses.com.
