fix: remove duplicate values from CSP directives

Author: crgwbr

csp/tests/test_decorators.py

@@ -63,7 +63,7 @@ def view_with_decorator(request: HttpRequest) -> HttpResponseBase:
     mw.process_response(request, response)
     assert HEADER_REPORT_ONLY not in response.headers
     policy_list = sorted(response[HEADER].split("; "))
-    assert policy_list == ["default-src 'self'", f"img-src foo.com bar.com 'nonce-{getattr(request, 'csp_nonce')}'"]
+    assert policy_list == ["default-src 'self'", f"img-src 'nonce-{getattr(request, 'csp_nonce')}' bar.com foo.com"]
 
     response = view_without_decorator(request)
     mw.process_response(request, response)
@@ -96,7 +96,7 @@ def view_with_decorator(request: HttpRequest) -> HttpResponseBase:
     mw.process_response(request, response)
     assert HEADER not in response.headers
     policy_list = sorted(response[HEADER_REPORT_ONLY].split("; "))
-    assert policy_list == ["default-src 'self'", f"img-src foo.com bar.com 'nonce-{getattr(request, 'csp_nonce')}'"]
+    assert policy_list == ["default-src 'self'", f"img-src 'nonce-{getattr(request, 'csp_nonce')}' bar.com foo.com"]
 
     response = view_without_decorator(request)
     mw.process_response(request, response)

csp/tests/test_utils.py

@@ -55,6 +55,7 @@ def test_default_src() -> None:
     policy = build_policy()
     policy_eq("default-src example.com example2.com", policy)
 
+
 @override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"default-src": {"example.com", "example2.com"}}})
 def test_default_src_is_set() -> None:
     policy = build_policy()
@@ -300,7 +301,7 @@ def test_require_trusted_types_for() -> None:
 def test_trusted_types() -> None:
     policy = build_policy()
     policy_eq(
-        "default-src 'self'; trusted-types strictPolicy laxPolicy default 'allow-duplicates'",
+        "default-src 'self'; trusted-types 'allow-duplicates' default laxPolicy strictPolicy",
         policy,
     )
 
@@ -319,14 +320,14 @@ def test_block_all_mixed_content() -> None:
 
 def test_nonce() -> None:
     policy = build_policy(nonce="abc123")
-    policy_eq("default-src 'self' 'nonce-abc123'", policy)
+    policy_eq("default-src 'nonce-abc123' 'self'", policy)
 
 
 @override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"default-src": [SELF], "script-src": [SELF, NONCE], "style-src": [SELF, NONCE]}})
 def test_nonce_in_value() -> None:
     policy = build_policy(nonce="abc123")
     policy_eq(
-        "default-src 'self'; script-src 'self' 'nonce-abc123'; style-src 'self' 'nonce-abc123'",
+        "script-src 'nonce-abc123' 'self'; default-src 'self'; style-src 'nonce-abc123' 'self'",
         policy,
     )
 
@@ -337,6 +338,35 @@ def test_only_nonce_in_value() -> None:
     policy_eq("default-src 'nonce-abc123'", policy)
 
 
+@override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"img-src": ["example.com", "example.com"]}})
+def test_deduplicate_values() -> None:
+    """
+    GitHub issue #40 - given project settings as a tuple, and
+    an update/replace with a string, concatenate correctly.
+    """
+    policy = build_policy()
+    policy_eq("default-src 'self'; img-src example.com", policy)
+
+
+@override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"img-src": ["example.com", "example.com"]}})
+def test_deduplicate_values_update() -> None:
+    """
+    GitHub issue #40 - given project settings as a tuple, and
+    an update/replace with a string, concatenate correctly.
+    """
+    policy = build_policy(update={"img-src": "example.com"})
+    policy_eq("default-src 'self'; img-src example.com", policy)
+
+
+@override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"img-src": ("example.com",)}})
+def test_deduplicate_values_replace() -> None:
+    """
+    Demonstrate that GitHub issue #40 doesn't affect replacements
+    """
+    policy = build_policy(replace={"img-src": ["example2.com", "example2.com"]})
+    policy_eq("default-src 'self'; img-src example2.com", policy)
+
+
 def test_boolean_directives() -> None:
     for directive in ["upgrade-insecure-requests", "block-all-mixed-content"]:
         with override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {directive: True}}):

csp/utils.py

@@ -98,13 +98,18 @@ def build_policy(
             v = config[k]
         if v is not None:
             v = copy.copy(v)
-            if not isinstance(v, (list, tuple, set)):
+            if isinstance(v, set):
+                v = sorted(v)
+            if not isinstance(v, (list, tuple)):
                 v = (v,)
             csp[k] = v
 
     for k, v in update.items():
         if v is not None:
-            if not isinstance(v, (list, tuple, set)):
+            v = copy.copy(v)
+            if isinstance(v, set):
+                v = sorted(v)
+            if not isinstance(v, (list, tuple)):
                 v = (v,)
             if csp.get(k) is None:
                 csp[k] = v
@@ -117,19 +122,18 @@ def build_policy(
 
     for key, value in csp.items():
         # Check for boolean directives.
-        if len(value) == 1:
-            val = list(value)[0]
-            if isinstance(val, bool):
-                if value[0] is True:
-                    policy_parts[key] = ""
-                continue
+        if len(value) == 1 and isinstance(value[0], bool):
+            if value[0] is True:
+                policy_parts[key] = ""
+            continue
         if NONCE in value:
             if nonce:
                 value = [f"'nonce-{nonce}'" if v == NONCE else v for v in value]
             else:
                 # Strip the `NONCE` sentinel value if no nonce is provided.
                 value = [v for v in value if v != NONCE]
 
+        value = sorted(set(value))  # Deduplicate and sort value
         policy_parts[key] = " ".join(value)
 
     if report_uri: