[Django] #37119: Adjust CSP middleware ordering note to clarify the effect of "accessing" the nonce

[Django]

#37119: Adjust CSP middleware ordering note to clarify the effect of "accessing"
the nonce
-------------------------------------+-------------------------------------
     Reporter:  Jacob Walls          |                     Type:
                                     |  Cleanup/optimization
       Status:  new                  |                Component:
                                     |  Documentation
      Version:  6.0                  |                 Severity:  Normal
     Keywords:  CSP                  |             Triage Stage:
                                     |  Unreviewed
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
 See [https://github.com/django/django/pull/19393#issuecomment-4399804216
 discussion] on a closed PR. Our middleware ordering advice says this about
 `ContentSecurityPolicyMiddleware`:

 > Can be placed near the bottom, but ensure any middleware that accesses
 csp_nonce is positioned after it, so the nonce is properly included in the
 response header.

 To my ear, this assumes too much knowledge about the underlying "lazy"
 implementation that waits to materialize a nonce until it is "accessed".
 Without that detail in mind, on first read, I thought this was referring
 to accessing the header, which made me think this advice was backwards (to
 access the header, a response-phase middleware would need to be ordered
 before, not after).

 Suggested edit to clarify the laziness, and that "accessing" refers to the
 nonce value, not the header:

 {{{#!diff
 -   Can be placed near the bottom, but ensure any middleware that accesses
 -   :ref:`csp_nonce <csp-nonce>` is positioned after it, so the nonce is
 -   properly included in the response header.
 +   Can be placed near the bottom, but since the :ref:`csp_nonce <csp-
 nonce>` is
 +   lazy, ensure any middleware that accesses it is positioned after, so
 the
 +   nonce is generated before this middleware builds the response header.
 }}}
-- 
Ticket URL: <https://code.djangoproject.com/ticket/37119>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion visit 
https://groups.google.com/d/msgid/django-updates/0107019e65aa045e-2bdf27a3-3865-45e1-9f12-b45eef8e00cf-000000%40eu-central-1.amazonses.com.