Explicitly fail if `EXCLUDE_URL_PREFIXES` is a string

[okkays]

Context

After updating to 4.0b2, configuration values stored as tuple are silently ignored.

We use a security scanner (zap) which had started failing due to missing CSP headers. The docs mention that Many settings require a tuple or list. You may get very strange policies and even errors when mistakenly configuring them as a string.

After migrating to 4.0-compatible configuration, all of our values were tuple - changing them to list caused the header to appear again (this commit)

Suggestions

• It'd be nice if incorrect configuration failed explicitly, rather than effectively skipping CSP. It's hard to notice the missing CSP header without a scanner, and it was difficult to debug why it wasn't being added. This was also how we noticed we needed to change our config for 4.0 - the security scanner caught it; our app ran without exception.
• Re-support tuple or drop support for it from the documentation. All examples and tests appear to expect lists, anyway 🤷

This is low priority for us personally since we've figured it out and made the change, but I figured I'd bring this to your attention since it can silently disable CSP for config that conforms to the docs 😅

[robhudson]

I appreciate that the specific commit was shared which help debug this more quickly.

The issue was this line:

    'EXCLUDE_URL_PREFIXES': ('/admin'),

This is missing the trailing comma to make it a tuple type. For example:

>>> type( ("/admin") )
<class 'str'>

>>> type( ("/admin",) )
<class 'tuple'>

In the middleware this value gets cast to a tuple for checking if the request path starts with a value defined in EXCLUDE_URL_PREFIXES. Since this came through as a string, it was essentially testing that these values matched the request path:

>>> tuple("/admin")
('/', 'a', 'd', 'm', 'i', 'n')

Since the first one / matches pretty much all paths, the CSP header was then excluded.

If this settings value was converted to a tuple everything else works as expected.

It'd be nice if incorrect configuration failed explicitly, rather than effectively skipping CSP.

I agree. We could likely add a check to ensure this particular setting is a tuple or a list because as a string it will definitely "get very strange policies and even errors". :)

Thanks for the report!

[okkays]

d'oh, you are totally right - thanks for taking a look! Sorry for the misdiagnosis!