id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
37119	"Adjust CSP middleware ordering note to clarify the effect of ""accessing"" the nonce"	Jacob Walls		"See [https://github.com/django/django/pull/19393#issuecomment-4399804216 discussion] on a closed PR. Our middleware ordering advice says this about `ContentSecurityPolicyMiddleware`:

> Can be placed near the bottom, but ensure any middleware that accesses csp_nonce is positioned after it, so the nonce is properly included in the response header.

To my ear, this assumes too much knowledge about the underlying ""lazy"" implementation that waits to materialize a nonce until it is ""accessed"". Without that detail in mind, on first read, I thought this was referring to accessing the header, which made me think this advice was backwards (to access the header, a response-phase middleware would need to be ordered before, not after).

Suggested edit to clarify the laziness, and that ""accessing"" refers to the nonce value, not the header:

{{{#!diff
-   Can be placed near the bottom, but ensure any middleware that accesses
-   :ref:`csp_nonce <csp-nonce>` is positioned after it, so the nonce is
-   properly included in the response header.
+   Can be placed near the bottom, but since the :ref:`csp_nonce <csp-nonce>` is
+   lazy, ensure any middleware that accesses it is positioned after, so the
+   nonce is generated before this middleware builds the response header.
}}}"	Cleanup/optimization	new	Documentation	6.0	Normal		CSP		Unreviewed	0	0	0	0	0	0