Skip to content

Restructure CSP Configuration with Streamlined Settings (backwards incompatible) #219

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 6, 2024
Merged

Restructure CSP Configuration with Streamlined Settings (backwards incompatible) #219

merged 1 commit into from
Jun 6, 2024

Conversation

@robhudson
Copy link
Collaborator

@robhudson robhudson commented May 1, 2024
edited
Loading

This PR introduces a significant update to the django-csp project, focusing on enhancing the coherence between configuration and headers, and aligning with Django's common practices for settings. The CSP settings have been restructured, consolidating them into two primary options for enforced and report-only policies.

Key Changes:

  • Consolidation of Settings: Simplified the settings config by transitioning to a two-setting approach:
    • CONTENT_SECURITY_POLICY: settings for the enforced policy.
    • CONTENT_SECURITY_POLICY_REPORT_ONLY: settings for the report-only policy.

This is a backwards-incompatible change.

While this change may require refactoring for existing users...

  • it consolidates and simplifies django-csp configuration,
  • it ties the CSP configuration more closely with the CSP response headers, simplifying the comprehension of content-security policies,
  • it unlocks the capability to provide both enforceable and report-only headers (discussed in issue Allow enforced CSP and Report-Only at the same time #36).

Feedback and Contributions

We invite our community members to test and provide feedback on the updated settings structure. Your input will help refine django-csp and ensure its compatibility with Django best practices. Documentation enhancements or suggestions are greatly appreciated.

@robhudson robhudson force-pushed the two-dict-based-settings branch from d88f009 to 77ab5f0 Compare May 1, 2024 19:59
This was referenced May 2, 2024
Closed
Closed
stevejalim
stevejalim reviewed May 7, 2024
View reviewed changes
docs/migration-guide.rst
By following this migration guide, you should be able to successfully update your Django project to
use the new dict-based CSP settings format introduced in the latest version of `django-csp`. This
change aligns the package with the latest CSP specification and provides a more organized and
flexible way to configure your Content Security Policy.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👨‍🍳 💋

@robhudson robhudson force-pushed the two-dict-based-settings branch from 1da985f to b09c116 Compare May 7, 2024 21:07
willkg
willkg reviewed May 16, 2024
View reviewed changes
Copy link
Member

@willkg willkg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm very much excited about this overhaul. The new configuration model is vastly more ergonomic and easier to work with. Thank you for working on this!

docs/configuration.rst
'upgrade-insecure-requests': True,
'report-uri': "/csp-report/",
}
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I <3 this soooo much more than django-csp 3 configuration.

diox
diox reviewed May 17, 2024
View reviewed changes
Copy link
Member

@diox diox left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(not a full review, but some comments around the backwards-incompatibility this introduces)

janbrasna
janbrasna reviewed May 25, 2024
View reviewed changes
@robhudson robhudson force-pushed the two-dict-based-settings branch 2 times, most recently from d2cd3e2 to 4c12388 Compare May 28, 2024 19:10
@robhudson
Copy link
Collaborator Author

Does anyone also feel like we shouldn't have a top level csp import path? I think current practices for Django apps would suggest something like django_csp instead.

I'm considering changing the import path since we're breaking backwards compatibility anyway but wanted to try to get a poll:

  • 👍 if you think we should do this
  • 👎 if you think this is too much change

@robhudson robhudson mentioned this pull request May 31, 2024
Closed
@robhudson robhudson force-pushed the two-dict-based-settings branch from 4c12388 to bb97109 Compare June 5, 2024 21:47
@robhudson robhudson requested a review from stevejalim June 5, 2024 21:52
@robhudson robhudson force-pushed the two-dict-based-settings branch from bb97109 to 93f1eb3 Compare June 5, 2024 22:17
stevejalim
stevejalim reviewed Jun 6, 2024
View reviewed changes
csp/checks.py
warning = (
"You are using django-csp < 4.0 settings. Please update your settings to use the new format.\n"
"See https://django-csp.readthedocs.io/en/latest/migration-guide.html for more information.\n\n"
"We have attempted to build the new CSP config for you based on your current settings:\n\n"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So good

stevejalim
stevejalim approved these changes Jun 6, 2024
View reviewed changes
Copy link
Contributor

@stevejalim stevejalim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

r+ with v v minor comments

Very excited about this - thank you for all the hard (and smart!) work on it 🚀

@robhudson robhudson force-pushed the two-dict-based-settings branch from 93f1eb3 to bbfc8bb Compare June 6, 2024 16:41
Fixes mozilla#36: Move to dictionary based settings
039f699 
This is a backwards incompatible change.

Also fixes mozilla#139, mozilla#191
@robhudson robhudson force-pushed the two-dict-based-settings branch from bbfc8bb to 039f699 Compare June 6, 2024 16:43
@robhudson robhudson merged commit 3413de3 into mozilla:main Jun 6, 2024
This was referenced Jun 6, 2024
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stevejalim stevejalim stevejalim approved these changes

+3 more reviewers

@diox diox diox left review comments

@willkg willkg willkg left review comments

@janbrasna janbrasna janbrasna left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@robhudson @stevejalim @diox @willkg @janbrasna