GH 36 #179
GH 36 #179
Conversation
csp/utils.py
Outdated
| ) | ||
| # Technically we're modifying Django settings here, | ||
| # but it shouldn't matter since the end result of either will be the same | ||
| deprecation._handle_legacy_settings(custom_definitions) |
There was a problem hiding this comment.
Design Decision: Should we call _handle_legacy_settings based on whether the user has set CSP_POLICY_DEFINITIONS? i.e. only use the legacy settings if the new settings aren't used.
There was a problem hiding this comment.
I think this is probably best, but it require updating a whack-ton of tests, so maybe it could come in a separate PR.
csp/middleware.py
Outdated
| headers[header].append(csp) | ||
|
|
||
| for header, policies in headers.items(): | ||
| # TODO: Design Decision do we want the optional whitespace? |
There was a problem hiding this comment.
Design Decision: do we want the optional whitespace? (See convo on issue)
csp/middleware.py
Outdated
| return response | ||
|
|
||
| response[header] = self.build_policy(request, response) | ||
| # These won't be ordered properly on Cpython 3.5 or below |
There was a problem hiding this comment.
Remove October 2020 comments and OrderedDict (not supporting python 3.5 anymore?)
csp/decorators.py
Outdated
|
|
||
| def csp_update(**kwargs): | ||
| update = dict((k.lower().replace('_', '-'), v) for k, v in kwargs.items()) | ||
| def csp_reorder(order): |
There was a problem hiding this comment.
Big thing left to do is clarify how the decorators should work and write tests for them.
setup.cfg
Outdated
|
|
||
| [tool:pytest] | ||
| addopts = -vs --tb=short --pep8 --flakes | ||
| addopts = -vs --tb=short --pep8 --flakes --ignore docs/conf.py |
There was a problem hiding this comment.
Not sure what I was doing here: addopts = -vs --tb=short --pep8 --flakes --ignore docs/conf.py
csp/utils.py
Outdated
| if not isinstance(v, (list, tuple)): | ||
| v = (v,) | ||
| csp[k] = v | ||
| # TODO: design decision |
There was a problem hiding this comment.
Design Decision: Do we need this append functionality or should we just error out if the policy we're updating doesn't exist? I guess the issue is handling legacy calls?
There was a problem hiding this comment.
I've simplified this significantly. csp_update and csp_replace no longer support appending. I added a new csp_append decorator, but not sure if it's desirable.
Design Decision: csp_update and csp_append using the old capitalized kwarg style only apply to the "default" policy by default, do we want them to apply to all policies? I think not because it could be a surprise that bites someone.
- Refactor settings
…lect decorators
| rf = RequestFactory() | ||
|
|
||
|
|
||
| def get_headers(response): |
There was a problem hiding this comment.
Move get_headers to csp/tests/utils.py
|
|
||
| ``CSP_POLICIES`` | ||
| A list or tuple specifying which definitions will be applied by default and | ||
| defining an order on those policies. *['default']* |
There was a problem hiding this comment.
Order doesn't really matter I think, remove from docs on CSP_POLICIES
…/csp_select decorators
…/csp_select decorators
…/csp_select decorators
…CY_DEFINITIONS
|
Closing old PR. #219 has been merged which fixes this same issue. Thank you! |
refs: #36
Making a WIP PR, so I can start looking at it without adding Dylan's fork as a remote.