Skip to content

Fix #230: Make REPORT_PERCENTAGE a float #242

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 12, 2024
Merged

Fix #230: Make REPORT_PERCENTAGE a float #242

merged 2 commits into from
Sep 12, 2024

Conversation

@robhudson
Copy link
Collaborator

@robhudson robhudson commented Sep 11, 2024

No description provided.

Rob Hudson added 2 commits September 10, 2024 17:41
Fix #230: Make REPORT_PERCENTAGE a float
fb633fb
Remove ignore comment after django-stubs fix
e591149 
django.core.checks.registry.CheckRegistry.register is now typed correctly.
stevejalim
stevejalim reviewed Sep 12, 2024
View reviewed changes
docs/configuration.rst
``report-uri``. An **integer** between 0 and 100 (0 = no reports at all).
Ignored if ``report-uri`` isn't set.
Percentage of requests that should see the ``report-uri`` directive. Use this to throttle the
number of CSP violation reports made to your ``report-uri``. A **float** between 0.0 and 100.0
Copy link
Contributor

@stevejalim stevejalim Sep 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A float between 0.0 and 100.0

Won't a float of 100.0 give us a REPORT_PERCENTAGE of 10000.0? Would be good to warn about invalid values maybe?

        config["REPORT_PERCENTAGE"] = _REPORT_PERCENTAGE * 100

Copy link
Collaborator Author

@robhudson robhudson Sep 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That * 100 is only when converting from the old settings config when using CSP_REPORT_PERCENTAGE which was a float between 0 and 1.

Copy link
Collaborator Author

@robhudson robhudson Sep 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it be worthwhile to add a Django check in checks.py to validate some of the settings? Like this value being 0 <= x <= 100 and possibly some others that makes sense and emit a warning?

Copy link
Contributor

@stevejalim stevejalim Sep 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it'd be nice, to help avoid surprises, but can be a follow-on thing or a ticket for someone in the community to pick up?

stevejalim
stevejalim approved these changes Sep 12, 2024
View reviewed changes
Copy link
Contributor

@stevejalim stevejalim left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

r+wc

csp/contrib/rate_limiting.py
return policy_parts

remove_report = random.randint(0, 99) >= policy.get("REPORT_PERCENTAGE", 100)
# `random.random` returns a value in the range [0.0, 1.0) so all values will be < 100.0.
Copy link
Contributor

@stevejalim stevejalim Sep 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# `random.random` returns a value in the range [0.0, 1.0) so all values will be < 100.0.
# `random.random` returns a value in the range [0.0, 1.0] so all values will be < 100.0.

Copy link
Collaborator Author

@robhudson robhudson Sep 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That was actually intentional to denote that 1.0 isn't included in the range that random.random() can return.

docs/configuration.rst
``report-uri``. An **integer** between 0 and 100 (0 = no reports at all).
Ignored if ``report-uri`` isn't set.
Percentage of requests that should see the ``report-uri`` directive. Use this to throttle the
number of CSP violation reports made to your ``report-uri``. A **float** between 0.0 and 100.0
Copy link
Contributor

@stevejalim stevejalim Sep 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it'd be nice, to help avoid surprises, but can be a follow-on thing or a ticket for someone in the community to pick up?

@robhudson robhudson merged commit 35341b2 into main Sep 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stevejalim stevejalim stevejalim approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@robhudson @stevejalim