Opened 3 weeks ago
Closed 3 weeks ago
#37084 closed New feature (fixed)
Add system check for CSP nonce policy without csp context processor
| Reported by: | Rob Hudson | Owned by: | Milad Zarour |
|---|---|---|---|
| Component: | Core (System checks) | Version: | 6.0 |
| Severity: | Normal | Keywords: | csp nonce |
| Cc: | Rob Hudson | Triage Stage: | Ready for checkin |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description (last modified by )
When a project enables ContentSecurityPolicyMiddleware and includes CSP.NONCE in its policy, but does not configure the django.template.context_processors.csp context processor in TEMPLATES, the result is a silent security misconfiguration. The developer has the security of a non-nonce policy while believing they have nonce-based protection.
Proposed check:
Register a new security check that emits a Warning (or Error) when all of the following hold:
django.middleware.csp.ContentSecurityPolicyMiddlewareis in the middleware- At least one configured policy contains
CSP.NONCEas a source value - No Django template engine in
TEMPLATESlistsdjango.template.context_processors.csp
Possible message:
Your CSP policy includes CSP.NONCE and ContentSecurityPolicyMiddleware is enabled, but the django.template.context_processors.csp context processor is not configured. The nonce will appear in the response header but not in rendered templates, so nonce-based protection will not take effect. Add "django.template.context_processors.csp" to the context_processors option of at least one Django template engine.
Change History (11)
comment:1 by , 3 weeks ago
| Description: | modified (diff) |
|---|---|
| Keywords: | csp nonce added |
| Triage Stage: | Unreviewed → Accepted |
comment:4 by , 3 weeks ago
| Patch needs improvement: | set |
|---|
comment:5 by , 3 weeks ago
| Patch needs improvement: | unset |
|---|
Updated PR 21230 to address review comments:
- Handle iterable CSP directive values, including frozenset.
- Allow django.template.context_processors.csp on any template backend with context_processors configured.
- Moved the release note under the CSP section.
Tests:
- python tests/runtests.py check_framework.test_security
- Ran 76 tests successfully, with 1 skipped.
comment:6 by , 3 weeks ago
| Triage Stage: | Accepted → Ready for checkin |
|---|
comment:7 by , 3 weeks ago
| Patch needs improvement: | set |
|---|
comment:8 by , 3 weeks ago
| Triage Stage: | Ready for checkin → Accepted |
|---|
comment:9 by , 3 weeks ago
| Patch needs improvement: | unset |
|---|
Updated PR 21230 to address the latest review comments:
- Resolved conflicts with main in docs/ref/checks.txt and docs/releases/6.1.txt.
- Moved security.W027 to the non-deploy security checks section.
- Updated the warning wording to use “Content Security Policy”.
- Updated CSP.NONCE detection to use EAFP-style checks around policy.values() and directive value membership.
- Kept the context processor check as “any backend” to avoid false positives for projects with separate template backends.
Tests:
- python -m black --check django/core/checks/security/base.py tests/check_framework/test_security.py
- python -m flake8 django/core/checks/security/base.py tests/check_framework/test_security.py
- python tests/runtests.py check_framework.test_security
- Ran 76 tests successfully, with 1 skipped.
- git diff --check
comment:10 by , 3 weeks ago
| Triage Stage: | Accepted → Ready for checkin |
|---|
Thank you Rob!