#37084: Add system check for CSP nonce policy without csp context processor
-------------------------------------+-------------------------------------
Reporter: Rob Hudson | Owner: Milad
| Zarour
Type: New feature | Status: assigned
Component: Core (System | Version: 6.0
checks) |
Severity: Normal | Resolution:
Keywords: csp nonce | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Milad Zarour):
* needs_better_patch: 1 => 0
Comment:
Updated PR 21230 to address the latest review comments:
- Resolved conflicts with main in docs/ref/checks.txt and
docs/releases/6.1.txt.
- Moved security.W027 to the non-deploy security checks section.
- Updated the warning wording to use “Content Security Policy”.
- Updated CSP.NONCE detection to use EAFP-style checks around
policy.values() and directive value membership.
- Kept the context processor check as “any backend” to avoid false
positives for projects with separate template backends.
Tests:
- python -m black --check django/core/checks/security/base.py
tests/check_framework/test_security.py
- python -m flake8 django/core/checks/security/base.py
tests/check_framework/test_security.py
- python tests/runtests.py check_framework.test_security
- Ran 76 tests successfully, with 1 skipped.
- git diff --check
--
Ticket URL: <https://code.djangoproject.com/ticket/37084#comment:9>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/0107019e02f810e8-1ccba1d5-0def-414c-a18a-7212d5b02ad1-000000%40eu-central-1.amazonses.com.
