Opened 61 minutes ago
#37119 new Cleanup/optimization
Adjust CSP middleware ordering note to clarify the effect of "accessing" the nonce
| Reported by: | Jacob Walls | Owned by: | |
|---|---|---|---|
| Component: | Documentation | Version: | 6.0 |
| Severity: | Normal | Keywords: | CSP |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
See discussion on a closed PR. Our middleware ordering advice says this about ContentSecurityPolicyMiddleware:
Can be placed near the bottom, but ensure any middleware that accesses csp_nonce is positioned after it, so the nonce is properly included in the response header.
To my ear, this assumes too much knowledge about the underlying "lazy" implementation that waits to materialize a nonce until it is "accessed". Without that detail in mind, on first read, I thought this was referring to accessing the header, which made me think this advice was backwards (to access the header, a response-phase middleware would need to be ordered before, not after).
Suggested edit to clarify the laziness, and that "accessing" refers to the nonce value, not the header:
- Can be placed near the bottom, but ensure any middleware that accesses - :ref:`csp_nonce <csp-nonce>` is positioned after it, so the nonce is - properly included in the response header. + Can be placed near the bottom, but since the :ref:`csp_nonce <csp-nonce>` is + lazy, ensure any middleware that accesses it is positioned after, so the + nonce is generated before this middleware builds the response header.