mozilla
diff --git a/‎.coveragerc‎
Lines changed: 4 additions & 0 deletions b/‎.coveragerc‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎csp/contrib/rate_limiting.py‎
Lines changed: 25 additions & 2 deletions b/‎csp/contrib/rate_limiting.py‎
Lines changed: 25 additions & 2 deletions
diff --git a/‎csp/decorators.py‎
Lines changed: 28 additions & 17 deletions b/‎csp/decorators.py‎
Lines changed: 28 additions & 17 deletions
diff --git a/‎csp/middleware.py‎
Lines changed: 30 additions & 20 deletions b/‎csp/middleware.py‎
Lines changed: 30 additions & 20 deletions
diff --git a/‎csp/tests/settings.py‎
Lines changed: 5 additions & 10 deletions b/‎csp/tests/settings.py‎
Lines changed: 5 additions & 10 deletions
diff --git a/‎csp/tests/test_contrib.py‎
Lines changed: 17 additions & 1 deletion b/‎csp/tests/test_contrib.py‎
Lines changed: 17 additions & 1 deletion
@@ -0,0 +1,4 @@
+[run]
+source = csp
+omit =
+  csp/tests/*
@@ -16,9 +16,32 @@ def build_policy(self, request, response):
         replace = getattr(response, "_csp_replace", {})
         nonce = getattr(request, "_csp_nonce", None)
 
-        report_percentage = getattr(settings, "CSP_REPORT_PERCENTAGE")
-        include_report_uri = random.random() < report_percentage
+        policy = getattr(settings, "CONTENT_SECURITY_POLICY", {})
+
+        if policy is None:
+            return ""
+
+        report_percentage = policy.get("REPORT_PERCENTAGE", 100)
+        include_report_uri = random.randint(0, 100) < report_percentage
         if not include_report_uri:
             replace["report-uri"] = None
 
         return build_policy(config=config, update=update, replace=replace, nonce=nonce)
+
+    def build_policy_ro(self, request, response):
+        config = getattr(response, "_csp_config_ro", None)
+        update = getattr(response, "_csp_update_ro", None)
+        replace = getattr(response, "_csp_replace_ro", {})
+        nonce = getattr(request, "_csp_nonce", None)
+
+        policy = getattr(settings, "CONTENT_SECURITY_POLICY_REPORT_ONLY", {})
+
+        if policy is None:
+            return ""
+
+        report_percentage = policy.get("REPORT_PERCENTAGE", 100)
+        include_report_uri = random.randint(0, 100) < report_percentage
+        if not include_report_uri:
+            replace["report-uri"] = None
+
+        return build_policy(config=config, update=update, replace=replace, nonce=nonce, report_only=True)
@@ -1,54 +1,65 @@
 from functools import wraps
 
 
-def csp_exempt(f):
-    @wraps(f)
-    def _wrapped(*a, **kw):
-        r = f(*a, **kw)
-        r._csp_exempt = True
-        return r
+def csp_exempt(REPORT_ONLY=None):
+    def decorator(f):
+        @wraps(f)
+        def _wrapped(*a, **kw):
+            r = f(*a, **kw)
+            if REPORT_ONLY:
+                r._csp_exempt_ro = True
+            else:
+                r._csp_exempt = True
+            return r
 
-    return _wrapped
+        return _wrapped
 
+    return decorator
 
-def csp_update(**kwargs):
-    update = {k.lower().replace("_", "-"): v for k, v in kwargs.items()}
 
+def csp_update(config, *, REPORT_ONLY=False):
     def decorator(f):
         @wraps(f)
         def _wrapped(*a, **kw):
             r = f(*a, **kw)
-            r._csp_update = update
+            if REPORT_ONLY:
+                r._csp_update_ro = config
+            else:
+                r._csp_update = config
             return r
 
         return _wrapped
 
     return decorator
 
 
-def csp_replace(**kwargs):
-    replace = {k.lower().replace("_", "-"): v for k, v in kwargs.items()}
-
+def csp_replace(config, *, REPORT_ONLY=False):
     def decorator(f):
         @wraps(f)
         def _wrapped(*a, **kw):
             r = f(*a, **kw)
-            r._csp_replace = replace
+            if REPORT_ONLY:
+                r._csp_replace_ro = config
+            else:
+                r._csp_replace = config
             return r
 
         return _wrapped
 
     return decorator
 
 
-def csp(**kwargs):
-    config = {k.lower().replace("_", "-"): [v] if isinstance(v, str) else v for k, v in kwargs.items()}
+def csp(config, *, REPORT_ONLY=False):
+    config = {k: [v] if isinstance(v, str) else v for k, v in config.items()}
 
     def decorator(f):
         @wraps(f)
         def _wrapped(*a, **kw):
             r = f(*a, **kw)
-            r._csp_config = config
+            if REPORT_ONLY:
+                r._csp_config_ro = config
+            else:
+                r._csp_config = config
             return r
 
         return _wrapped
 
@@ -21,8 +21,7 @@ class CSPMiddleware(MiddlewareMixin):
     """
 
     def _make_nonce(self, request):
-        # Ensure that any subsequent calls to request.csp_nonce return the
-        # same value
+        # Ensure that any subsequent calls to request.csp_nonce return the same value
         if not getattr(request, "_csp_nonce", None):
             request._csp_nonce = base64.b64encode(os.urandom(16)).decode("ascii")
         return request._csp_nonce
@@ -32,32 +31,36 @@ def process_request(self, request):
         request.csp_nonce = SimpleLazyObject(nonce)
 
     def process_response(self, request, response):
-        if getattr(response, "_csp_exempt", False):
-            return response
-
-        # Check for ignored path prefix.
-        prefixes = getattr(settings, "CSP_EXCLUDE_URL_PREFIXES", ())
-        if request.path_info.startswith(prefixes):
-            return response
-
         # Check for debug view
-        status_code = response.status_code
         exempted_debug_codes = (
             http_client.INTERNAL_SERVER_ERROR,
             http_client.NOT_FOUND,
         )
-        if status_code in exempted_debug_codes and settings.DEBUG:
+        if response.status_code in exempted_debug_codes and settings.DEBUG:
             return response
 
         header = "Content-Security-Policy"
-        if getattr(settings, "CSP_REPORT_ONLY", False):
-            header += "-Report-Only"
-
-        if header in response:
-            # Don't overwrite existing headers.
-            return response
-
-        response[header] = self.build_policy(request, response)
+        header_ro = "Content-Security-Policy-Report-Only"
+
+        csp = self.build_policy(request, response)
+        if csp:
+            # Only set header if not already set and not an excluded prefix and not exempted.
+            is_not_exempt = getattr(response, "_csp_exempt", False) is False
+            no_header = header not in response
+            prefixes = getattr(settings, "CONTENT_SECURITY_POLICY", {}).get("EXCLUDE_URL_PREFIXES", ())
+            is_not_excluded = not request.path_info.startswith(prefixes)
+            if all((no_header, is_not_exempt, is_not_excluded)):
+                response[header] = csp
+
+        csp_ro = self.build_policy_ro(request, response)
+        if csp_ro:
+            # Only set header if not already set and not an excluded prefix and not exempted.
+            is_not_exempt = getattr(response, "_csp_exempt_ro", False) is False
+            no_header = header_ro not in response
+            prefixes = getattr(settings, "CONTENT_SECURITY_POLICY_REPORT_ONLY", {}).get("EXCLUDE_URL_PREFIXES", ())
+            is_not_excluded = not request.path_info.startswith(prefixes)
+            if all((no_header, is_not_exempt, is_not_excluded)):
+                response[header_ro] = csp_ro
 
         return response
 
@@ -67,3 +70,10 @@ def build_policy(self, request, response):
         replace = getattr(response, "_csp_replace", None)
         nonce = getattr(request, "_csp_nonce", None)
         return build_policy(config=config, update=update, replace=replace, nonce=nonce)
+
+    def build_policy_ro(self, request, response):
+        config = getattr(response, "_csp_config_ro", None)
+        update = getattr(response, "_csp_update_ro", None)
+        replace = getattr(response, "_csp_replace_ro", None)
+        nonce = getattr(request, "_csp_nonce", None)
+        return build_policy(config=config, update=update, replace=replace, nonce=nonce, report_only=True)
@@ -1,8 +1,8 @@
-import django
-
-CSP_REPORT_ONLY = False
-
-CSP_INCLUDE_NONCE_IN = ["default-src"]
+CONTENT_SECURITY_POLICY = {
+    "DIRECTIVES": {
+        "include-nonce-in": ["default-src"],
+    }
+}
 
 DATABASES = {
     "default": {
@@ -39,8 +39,3 @@
         "OPTIONS": {},
     },
 ]
-
-
-# Django >1.6 requires `setup` call to initialise apps framework
-if hasattr(django, "setup"):
-    django.setup()
@@ -10,7 +10,7 @@
 rf = RequestFactory()
 
 
-@override_settings(CSP_REPORT_PERCENTAGE=0.1, CSP_REPORT_URI="x")
+@override_settings(CONTENT_SECURITY_POLICY={"REPORT_PERCENTAGE": 10, "DIRECTIVES": {"report-uri": "x"}})
 def test_report_percentage():
     times_seen = 0
     for _ in range(5000):
@@ -21,3 +21,19 @@ def test_report_percentage():
             times_seen += 1
     # Roughly 10%
     assert 400 <= times_seen <= 600
+
+
+@override_settings(CONTENT_SECURITY_POLICY=None)
+def test_no_csp():
+    request = rf.get("/")
+    response = HttpResponse()
+    mw.process_response(request, response)
+    assert HEADER not in response
+
+
+@override_settings(CONTENT_SECURITY_POLICY_REPORT_ONLY=None)
+def test_no_csp_ro():
+    request = rf.get("/")
+    response = HttpResponse()
+    mw.process_response(request, response)
+    assert f"{HEADER}-Report-Only" not in response
-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +[run]
 +source = csp
 +omit =
 +  csp/tests/*