Comments (7)
robhudson
commented on July 28, 2024
I see that @csp_replace(FRAME_ANCESTORS=None) would not work since there's an if v is not None check there. I'd be curious if changing that to allow None values and then popping them would make sense?
In other words, we could add a new decorator, or use an existing decorator for the same purpose. I'd be curious of which seems clearer.
from django-csp.
tim-schilling
commented on July 28, 2024
Alternatively, we could define a sentinel CLEAR = object() and use that instead of None.
from django-csp.
robhudson
commented on July 28, 2024
If we like the idea of reusing the decorators we have, I like the sentinel idea. It makes it a bit more clear and intentional.
from django-csp.
tim-schilling
commented on July 28, 2024
I'm not sure if you're asking me Rob, but I like the approach of a sentinel with csp_replace rather than a new decorator.
from django-csp.
robhudson
commented on July 28, 2024
I'm looking at this again now that the big refactor is merged.
By the way, I was wrong in my comment above, this worked before my refactor, it was just confusing with the None check which stops it from being added to the dict of directives, but by not being added it effectively clears it. There's a test for it as well.
In the PR you shared a test that has both a _csp_update and _csp_clear attribute, suggesting that maybe this view is already decorated and you're needing to clear a directive after it has already been decorated? Or was that test just showing that the clear takes precedence?
Given that @csp_replace with a None value will clear the directive, I'm not sure of the benefit of another decorator or sentinel to explicitly do this. But if this doesn't fit your need I'd be interested in hearing more.
from django-csp.
tim-schilling
commented on July 28, 2024
In the PR you shared a test that has both a _csp_update and _csp_clear attribute, suggesting that maybe this view is already decorated and you're needing to clear a directive after it has already been decorated? Or was that test just showing that the clear takes precedence?
We have a case where the middleware was applying a policy via _csp_update but then a view needed to remove it in an exception flow. I wanted to cover something similar in the upstream PR.
Given that @csp_replace with a None value will clear the directive, I'm not sure of the benefit of another decorator or sentinel to explicitly do this. But if this doesn't fit your need I'd be interested in hearing more.
Since update is applied after replace in build_policy, it doesn't act as a true clear directive when there are multiple operations.
from django-csp.
tim-schilling
commented on July 28, 2024
I'm good with closing this issue too as a "Won't fix for now". If there are others out there that could benefit from it, they can upvote it. It may not be worth adding to your maintenance workload.
from django-csp.
Related Issues (20)
- New release? HOT 11
- State of project HOT 9
- Unrecognized Content Security Policy directive 'worker-src' in Safari Browser HOT 2
- Building the wheel doesn't work HOT 4
- Backwards compatible method of adding 'strict-dynamic' as suffix HOT 1
- Don't include nonces in default-src when CSP_INCLUDE_NONCE_IN is unset / an empty list HOT 3
- Allow direct editing of build policy output HOT 1
- Documentation for context processor HOT 5
- Deprecated Features HOT 5
- interested in adding typing (mypy) support? HOT 4
- Support different sets of rules for paths like /admin HOT 8
- Move project to pyproject.toml HOT 1
- Create csp.extensions.NoncedStyle extension HOT 1
- Change import path to `django_csp` - breaking change HOT 1
- docs: Differentiate between "None" and `NONE` in directives
- [Beta] Report percentage cannot be smaller than 1% HOT 2
- When REPORT_PERCENTAGE is set to 100%, the `report-uri` directive is not always included in the CSP header HOT 2
- docs: Add that `REPORT_PERCENTAGE` requires the rate-limiting middleware in the configuration docs
- Add support for reporting endpoints headers
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from django-csp.