[Django] #37119: Adjust CSP middleware ordering note to clarify the effect of "accessing" the nonce
4 views
Skip to first unread message
Django
May 26, 2026, 3:01:48 PM (7 days ago) May 26
to django-...@googlegroups.com
#37119: Adjust CSP middleware ordering note to clarify the effect of "accessing"
the nonce
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Type:
| Cleanup/optimization
Status: new | Component:
| Documentation
Version: 6.0 | Severity: Normal
Keywords: CSP | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
See [https://github.com/django/django/pull/19393#issuecomment-4399804216
discussion] on a closed PR. Our middleware ordering advice says this about
`ContentSecurityPolicyMiddleware`:
> Can be placed near the bottom, but ensure any middleware that accesses
csp_nonce is positioned after it, so the nonce is properly included in the
response header.
To my ear, this assumes too much knowledge about the underlying "lazy"
implementation that waits to materialize a nonce until it is "accessed".
Without that detail in mind, on first read, I thought this was referring
to accessing the header, which made me think this advice was backwards (to
access the header, a response-phase middleware would need to be ordered
before, not after).
Suggested edit to clarify the laziness, and that "accessing" refers to the
nonce value, not the header:
{{{#!diff
- Can be placed near the bottom, but ensure any middleware that accesses
- :ref:`csp_nonce <csp-nonce>` is positioned after it, so the nonce is
- properly included in the response header.
+ Can be placed near the bottom, but since the :ref:`csp_nonce <csp-
nonce>` is
+ lazy, ensure any middleware that accesses it is positioned after, so
the
+ nonce is generated before this middleware builds the response header.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/37119>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
the nonce
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Type:
| Cleanup/optimization
Status: new | Component:
| Documentation
Version: 6.0 | Severity: Normal
Keywords: CSP | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
See [https://github.com/django/django/pull/19393#issuecomment-4399804216
discussion] on a closed PR. Our middleware ordering advice says this about
`ContentSecurityPolicyMiddleware`:
> Can be placed near the bottom, but ensure any middleware that accesses
csp_nonce is positioned after it, so the nonce is properly included in the
response header.
To my ear, this assumes too much knowledge about the underlying "lazy"
implementation that waits to materialize a nonce until it is "accessed".
Without that detail in mind, on first read, I thought this was referring
to accessing the header, which made me think this advice was backwards (to
access the header, a response-phase middleware would need to be ordered
before, not after).
Suggested edit to clarify the laziness, and that "accessing" refers to the
nonce value, not the header:
{{{#!diff
- Can be placed near the bottom, but ensure any middleware that accesses
- :ref:`csp_nonce <csp-nonce>` is positioned after it, so the nonce is
- properly included in the response header.
+ Can be placed near the bottom, but since the :ref:`csp_nonce <csp-
nonce>` is
+ lazy, ensure any middleware that accesses it is positioned after, so
the
+ nonce is generated before this middleware builds the response header.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/37119>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
May 27, 2026, 1:39:50 AM (7 days ago) May 27
to django-...@googlegroups.com
#37119: Adjust CSP middleware ordering note to clarify the effect of "accessing"
the nonce
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Owner: Vishy
the nonce
-------------------------------------+-------------------------------------
Type: | Status: assigned
Cleanup/optimization |
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: CSP | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Vishy):
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* owner: (none) => Vishy
* status: new => assigned
--
Ticket URL: <https://code.djangoproject.com/ticket/37119#comment:1>
Django
May 27, 2026, 8:25:41 AM (7 days ago) May 27
to django-...@googlegroups.com
#37119: Adjust CSP middleware ordering note to clarify the effect of "accessing"
the nonce
--------------------------------------+------------------------------------
the nonce
Reporter: Jacob Walls | Owner: Vishy
Type: Cleanup/optimization | Status: assigned
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: CSP | Triage Stage: Accepted
Severity: Normal | Resolution:
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Tim Graham):
* stage: Unreviewed => Accepted
--
Ticket URL: <https://code.djangoproject.com/ticket/37119#comment:2>
Django
Jun 1, 2026, 11:43:36 AM (yesterday) Jun 1
to django-...@googlegroups.com
#37119: Adjust CSP middleware ordering note to clarify the effect of "accessing"
the nonce
--------------------------------------+------------------------------------
Reporter: Jacob Walls | Owner: Vishy
Type: Cleanup/optimization | Status: assigned
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: CSP | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
the nonce
--------------------------------------+------------------------------------
Reporter: Jacob Walls | Owner: Vishy
Type: Cleanup/optimization | Status: assigned
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: CSP | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
Changes (by Vishy):
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
* has_patch: 0 => 1
--
Ticket URL: <https://code.djangoproject.com/ticket/37119#comment:3>
Django
Jun 1, 2026, 11:51:27 AM (yesterday) Jun 1
to django-...@googlegroups.com
#37119: Adjust CSP middleware ordering note to clarify the effect of "accessing"
the nonce
-------------------------------------+-------------------------------------
the nonce
Reporter: Jacob Walls | Owner: Vishy
Type: | Status: assigned
Cleanup/optimization |
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: CSP | Triage Stage: Ready for
Severity: Normal | Resolution:
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Jacob Walls):
* stage: Accepted => Ready for checkin
--
Ticket URL: <https://code.djangoproject.com/ticket/37119#comment:4>
Django
Jun 1, 2026, 11:53:25 AM (yesterday) Jun 1
to django-...@googlegroups.com
#37119: Adjust CSP middleware ordering note to clarify the effect of "accessing"
the nonce
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Owner: Vishy
Type: | Status: closed
the nonce
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Owner: Vishy
Cleanup/optimization |
Component: Documentation | Version: 6.0
Severity: Normal | Resolution: fixed
Component: Documentation | Version: 6.0
Keywords: CSP | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Jacob Walls <jacobtylerwalls@…>):
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* resolution: => fixed
* status: assigned => closed
Comment:
In [changeset:"be8d1b628533ac38d2771356e92ade1d61d3f059" be8d1b62]:
{{{#!CommitTicketReference repository=""
revision="be8d1b628533ac38d2771356e92ade1d61d3f059"
Fixed #37119 -- Clarified middleware ordering note for nonce access.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/37119#comment:5>
Django
Jun 1, 2026, 11:54:03 AM (yesterday) Jun 1
to django-...@googlegroups.com
#37119: Adjust CSP middleware ordering note to clarify the effect of "accessing"
the nonce
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Owner: Vishy
Type: | Status: closed
Cleanup/optimization |
Component: Documentation | Version: 6.0
Severity: Normal | Resolution: fixed
Keywords: CSP | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Jacob Walls <jacobtylerwalls@…>):
the nonce
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Owner: Vishy
Type: | Status: closed
Cleanup/optimization |
Component: Documentation | Version: 6.0
Severity: Normal | Resolution: fixed
Keywords: CSP | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
In [changeset:"2399b9ebd3daa054581ad888272f4098126ce51f" 2399b9e]:
{{{#!CommitTicketReference repository=""
revision="2399b9ebd3daa054581ad888272f4098126ce51f"
[6.1.x] Fixed #37119 -- Clarified middleware ordering note for nonce
access.
Backport of be8d1b628533ac38d2771356e92ade1d61d3f059 from main.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/37119#comment:6>
Reply all
Reply to author
Forward
0 new messages