[Django] #37054: Precompute the Referrer-Policy header value during middleware initialization

[Django]

#37054: Precompute the Referrer-Policy header value during middleware
initialization
-------------------------------------+-------------------------------------
Reporter: Mason | Owner: Mason Lyons
Lyons |
Type: | Status: assigned
Cleanup/optimization |
Component: HTTP | Version: 6.0
handling |
Severity: Normal | Keywords: middleware
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
The SecurityMiddleware runs on every Django request and adds security
headers to responses. The original `process_response()` method constructs
the Referrer-Policy header by performing string operations on every
request:

{{{
def process_response(self, request, response):
# ... other headers ...
if self.referrer_policy:
# Support a comma-separated string or iterable of values to allow
# fallback.
response.headers.setdefault(
"Referrer-Policy",
",".join(
[v.strip() for v in self.referrer_policy.split(",")]
if isinstance(self.referrer_policy, str)
else self.referrer_policy
),
)
}}}

Move the string manipulation to `__init__()` where it runs once when the
middleware is initialized, storing the pre-computed value for use in
`process_response()`
--
Ticket URL: <https://code.djangoproject.com/ticket/37054>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

[Django]

#37054: Precompute the Referrer-Policy header value during middleware
initialization
-------------------------------------+-------------------------------------

Reporter: Mason Lyons | Owner: Mason
Type: | Lyons
Cleanup/optimization | Status: assigned
Component: HTTP handling | Version: 6.0
Severity: Normal | Resolution:
Keywords: middleware | Triage Stage:
| Unreviewed
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by Mason Lyons):

* has_patch: 0 => 1

--
Ticket URL: <https://code.djangoproject.com/ticket/37054#comment:1>

[Django]

#37054: Precompute the Referrer-Policy header value during middleware
initialization
-------------------------------------+-------------------------------------
Reporter: Mason Lyons | Owner: Mason
Type: | Lyons
Cleanup/optimization | Status: assigned
Component: HTTP handling | Version: 6.0
Severity: Normal | Resolution:
Keywords: middleware | Triage Stage:
| Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by Mason Lyons):

PR available: https://github.com/django/django/pull/21146
--
Ticket URL: <https://code.djangoproject.com/ticket/37054#comment:2>

[Django]

#37054: Precompute the Referrer-Policy header value during middleware
initialization
-------------------------------------+-------------------------------------
Reporter: Mason Lyons | Owner: Mason
Type: | Lyons
Cleanup/optimization | Status: assigned
Component: HTTP handling | Version: 6.0
Severity: Normal | Resolution:
Keywords: middleware | Triage Stage:
| Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by Natalia Bidart):

Replying to [comment:2 Mason Lyons]:
> PR available: https://github.com/django/django/pull/21146

Hello, thank you for your ticket. I understand the rationale in the report
but the proposed change needs stronger justification and careful
consideration of compatibility. Specifically:

1. Performance evidence: this is a micro-optimization. Moving a small
string normalization from `process_response()` to `__init__()` may reduce
per-request work, but the cost is negligible relative to overall request
handling. Please provide evidence of a measurable performance improvement
in a production-grade Django setup (e.g., benchmarks under realistic load)
to justify the change. Also consider registering a benchmark check in
django-asv.
2. Backward compatibility: the change is not backward compatible and
introduces subtle behavior differences. Among others: generators would be
consumed at initialization instead of on first request, changes to
`self.referrer_policy` after initialization would no longer be reflected
in responses, subclasses overriding `process_response()` or relying on
`self.referrer_policy` being evaluated per request would observe different
behavior, etc.

Given these points, I'll be closing the ticket accordingly.
--
Ticket URL: <https://code.djangoproject.com/ticket/37054#comment:3>

[Django]

#37054: Precompute the Referrer-Policy header value during middleware
initialization
-------------------------------------+-------------------------------------
Reporter: Mason Lyons | Owner: Mason
Type: | Lyons

Cleanup/optimization | Status: closed

Component: HTTP handling | Version: 6.0

Severity: Normal | Resolution: wontfix

Keywords: middleware | Triage Stage:
| Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by Natalia Bidart):

* resolution: => wontfix
* status: assigned => closed

--
Ticket URL: <https://code.djangoproject.com/ticket/37054#comment:4>