Possible to override CSP_INCLUDE_NONCE_IN per-view with a decorator?

[fallen]

It would be nice to be able to use @csp_replace and @csp_update on CSP_INCLUDE_NONCE_IN.
Also, even @csp which is supposed to override everything, does not override the nonce generation.

Why?
Because some browsers like Chromium do not respect the style-src: 'unsafe-inline' if a nonce is given.
So if you generate a nonce with CSP_INCLUDE_NONCE_IN, for your entire project, but you want for some precise view to use 'unsafe-inline', you need to also have a mean to disable the nonce. Or else the browser will just ignore the 'unsafe-inline'.

[g-k]

Hey @fallen,

some browsers like Chromium do not respect the style-src: 'unsafe-inline' if a nonce is given

This is interesting.

Possible to override CSP_INCLUDE_NONCE_IN per-view with a decorator?

No this isn't possible, since CSP_INCLUDE_NONCE_IN is pulled from settings and not the header config that the other decorators operate on.

If it's OK to remove the nonce from all the directives, you could use a decorator like:

def csp_remove_nonces(f):
    @wraps(f)
    def _wrapped(*a, **kw):
        r = f(*a, **kw)
        r._csp_nonce = None
        return r
    return _wrapped

then since build_policy in utils strips the nonce sources when nonce is None. The full patch might be:

commit 4e29019150c71a2d9938b610afcae5ec88a9046e
Author: Greg Guthe <gguthe@mozilla.com>
Date:   Mon Jan 6 01:40:05 2020 -0500

    add csp_remove_nonces decorator (needs docs)

diff --git a/csp/decorators.py b/csp/decorators.py
index bce3352..69e1fab 100644
--- a/csp/decorators.py
+++ b/csp/decorators.py
@@ -10,6 +10,15 @@ def csp_exempt(f):
     return _wrapped
 
 
+def csp_remove_nonces(f):
+    @wraps(f)
+    def _wrapped(*a, **kw):
+        r = f(*a, **kw)
+        r._csp_nonce = None
+        return r
+    return _wrapped
+
+
 def csp_update(**kwargs):
     update = dict((k.lower().replace('_', '-'), v) for k, v in kwargs.items())
 
diff --git a/csp/tests/test_decorators.py b/csp/tests/test_decorators.py
index 6f2716e..0d377d8 100644
--- a/csp/tests/test_decorators.py
+++ b/csp/tests/test_decorators.py
@@ -2,7 +2,7 @@ from django.http import HttpResponse
 from django.test import RequestFactory
 from django.test.utils import override_settings
 
-from csp.decorators import csp, csp_replace, csp_update, csp_exempt
+from csp.decorators import csp, csp_replace, csp_update, csp_exempt, csp_remove_nonces
 from csp.middleware import CSPMiddleware
 
 
@@ -98,6 +98,29 @@ def test_csp():
     assert policy_list == ["default-src 'self'"]
 
 
+@override_settings(CSP_INCLUDE_NONCE_IN=["default-src"])
+def test_csp_remove_nonces():
+    # get a new REQUEST so we can modify ._csp_nonce without affecting other
+    # tests
+    request = RequestFactory().get('/')
+    request._csp_nonce = 'test-nonce'
+
+    def view_without_decorator(request):
+        return HttpResponse()
+    response = view_without_decorator(request)
+    mw.process_response(request, response)
+    policy_list = sorted(response["Content-Security-Policy"].split("; "))
+    assert policy_list == ["default-src 'self' 'nonce-test-nonce'"]
+
+    @csp_remove_nonces
+    def view_with_decorator(request):
+        return HttpResponse()
+    response = view_with_decorator(request)
+    mw.process_response(request, response)
+    policy_list = sorted(response["Content-Security-Policy"].split("; "))
+    assert policy_list == ["default-src 'self' 'nonce-test-nonce'"]
+
+
 def test_csp_string_values():
     # Test backwards compatibility where values were strings
     @csp(IMG_SRC='foo.com', FONT_SRC='bar.com')

[DylanYoung]

FYI: this will be fixed in #36

[fallen]

FYI: this will be fixed in #36

Awesome, that's very good news!
Will this be documented?
How will it work then? Thanks :)

[DylanYoung]

Haven't done up the docs yet, but will hopefully get them done along with some more extensive unit tests this week. In the single policy case, it will work just as you requested in the OP. In the multi-policy case, it can be overridden per policy, by passing 'include_nonce_in' in the policy dictionary ('report_only' works similarly).

:)

If all goes smoothly, I'm hoping we can get this merged and a release cut within a couple weeks.

[some1ataplace]

Example of how you can override CSP_INCLUDE_NONCE_IN per-view with a decorator in Django-CSP:

from django_csp.middleware import CSPMiddleware

def csp_replace(csp_dict):
    """
    Decorator to replace the CSP config for a view.
    """
    def decorator(view_func):
        def wrapper(request, *args, **kwargs):
            middleware = CSPMiddleware()
            middleware.config = csp_dict
            response = view_func(request, *args, **kwargs)
            csp_header = middleware.build_csp_header(request=request)
            response['Content-Security-Policy'] = csp_header
            return response
        return wrapper
    return decorator

@csp_replace({'default-src': ["'self'"], 'script-src': ["'self'"], 'style-src': ["'unsafe-inline']})
def my_view(request):
    # your view code here

In this example, we define a csp_replace decorator that takes a dictionary of CSP directives as an argument. The decorator replaces the CSPMiddleware instance's config attribute with the provided dictionary, calls the original view function, and then builds the CSP header with the modified config. Finally, it sets the CSP header in the response and returns it.

To use this decorator, you can simply apply it to your view function and pass in the desired CSP directives as a dictionary. In the example above, we override CSP_INCLUDE_NONCE_IN for the style-src directive to allow 'unsafe-inline' for a specific view.

Here's an example of how you can write unit tests for the csp_replace decorator:

from django.test import TestCase, RequestFactory
from django_csp.middleware import CSPMiddleware
from myapp.views import my_view, csp_replace

class CSPReplaceTestCase(TestCase):
    def setUp(self):
        self.factory = RequestFactory()

    def test_csp_replace_decorator(self):
        # Create a request object
        request = self.factory.get('/my_view')

        # Define the CSP config for the view
        csp_config = {'default-src': ["'self'"], 'script-src': ["'self'"], 'style-src': ["'unsafe-inline']"}

        # Apply the csp_replace decorator to the view
        decorated_view = csp_replace(csp_config)(my_view)

        # Call the decorated view
        response = decorated_view(request)

        # Check that the CSP header is set correctly
        self.assertIn('Content-Security-Policy', response)
        self.assertEqual(response['Content-Security-Policy'], "default-src 'self'; script-src 'self'; style-src 'unsafe-inline'")

In this example, we define a CSPReplaceTestCase test case that sets up a RequestFactory and defines a test for the csp_replace decorator. We create a mock request object and define the desired CSP configuration for the view. We then apply the csp_replace decorator to the my_view function and call the decorated view with the mock request. Finally, we check that the CSP header is set correctly in the response.

---

from functools import wraps

from django_csp.middleware import CSPMiddleware

def csp_override_include_nonce_in(csp_override_value=None):
    """
    Decorator to override the value of CSP_INCLUDE_NONCE_IN for a specific view.

    :param csp_override_value: The value to override CSP_INCLUDE_NONCE_IN with (e.g. "'none'").
                               If not provided, CSP_INCLUDE_NONCE_IN will be disabled for the view.
    """

    def decorator(view_func):
        @wraps(view_func)
        def wrapped_view_func(request, *args, **kwargs):
            # Get the CSP middleware instance
            middleware = CSPMiddleware()

            # Save the original value of CSP_INCLUDE_NONCE_IN
            original_csp_include_nonce_in = middleware.CSP_INCLUDE_NONCE_IN

            # Override CSP_INCLUDE_NONCE_IN with the provided value
            if csp_override_value is not None:
                middleware.CSP_INCLUDE_NONCE_IN = csp_override_value
            else:
                middleware.CSP_INCLUDE_NONCE_IN = None

            # Call the view function
            response = view_func(request, *args, **kwargs)

            # Restore the original value of CSP_INCLUDE_NONCE_IN
            middleware.CSP_INCLUDE_NONCE_IN = original_csp_include_nonce_in

            # Return the response
            return response

        return wrapped_view_func

    return decorator

You can use this decorator to apply a specific CSP_INCLUDE_NONCE_IN value (or disable it altogether) for a particular view like this:

@csp_override_include_nonce_in("'none'")
def some_view(request):
    # Your view code here
    pass

This would disable CSP_INCLUDE_NONCE_IN for the some_view function, regardless of the global setting defined in your Django settings.

Of course, you can customize the decorator's implementation to suit your own requirements. For example, you could pass in multiple CSP settings to override, or even implement a more generic decorator that can override any CSP setting based on a key-value pair.

from unittest.mock import MagicMock, patch

from django.http import HttpResponse
from django.test import RequestFactory, TestCase
from django.urls import reverse

from myapp.views import some_view, csp_override_include_nonce_in

class CSPMiddlewareTestCase(TestCase):
    def setUp(self):
        self.rf = RequestFactory()

def test_csp_override_include_nonce_in_decorator(self):
        # Create a mock response
        response = HttpResponse()

        # Create a mock CSPMiddleware instance
        middleware = MagicMock()

        # Patch the CSPMiddleware object with the mock instance
        with patch('myapp.views.CSPMiddleware', return_value=middleware):
            # Call the decorated view function
            view_func = csp_override_include_nonce_in("'none'")(some_view)
            request = self.rf.get(reverse('some_view'))
            result = view_func(request)

            # Assert that CSP_INCLUDE_NONCE_IN was overridden with the expected value
            middleware.CSP_INCLUDE_NONCE_IN.assert_called_once_with("'none'")

            # Assert that the view function returned the expected result
            self.assertEqual(result, response)

This test creates a mock CSPMiddleware instance and patches the CSPMiddleware object in myapp.views to use this mock instance when the decorated view function is called.

It then calls the decorated view function with a GET request to the some_view URL with the "'none'"value for CSP_INCLUDE_NONCE_IN.

Finally, it asserts that CSP_INCLUDE_NONCE_IN was overridden with the expected value in the mock middleware object, and that the view function returned the expected result (an HTTP response object).

This unit test ensures that the csp_override_include_nonce_in decorator correctly overrides the value of `CSP_INCLUDE_NONCE_IN for the decorated view function, and that the view function behaves as expected.

Note that you will need to replace myapp.views and some_view` with the appropriate module and view function names for your application.

[robhudson]

This will be possible in the upcoming release, currently under review in #219. The include-nonce-in directive is considered a "pseudo-directive" and can be set via the decorators.

[fallen]

This will be possible in the upcoming release, currently under review in #219. The include-nonce-in directive is considered a "pseudo-directive" and can be set via the decorators.

Very good news! Thanks a lot :)