[Django] #37084: Add system check for CSP nonce policy without csp context processor

[Django]

#37084: Add system check for CSP nonce policy without csp context processor
-------------------------------------+-------------------------------------
Reporter: Rob Hudson | Type: New
| feature
Status: new | Component: Core
| (System checks)
Version: 6.0 | Severity: Normal
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
When a project enables `ContentSecurityPolicyMiddleware` and includes
`CSP.NONCE` in its policy, but does not configure the
`django.template.context_processors.csp` context processor in `TEMPLATES`,
the result is a silent security misconfiguration. The developer has the
security of a non-nonce policy while believing they have nonce-based
protection.

Proposed check:

Register a new security check that emits a Warning (or Error) when all of
the following hold:
1. `django.middleware.csp.ContentSecurityPolicyMiddleware` is in the
middleware
2. At least one configured policy contains `CSP.NONCE` as a source value
3. No Django template engine in `TEMPLATES` lists
`django.template.context_processors.csp`

Possible message:
Your CSP policy includes `CSP.NONCE` and `ContentSecurityPolicyMiddleware`
is enabled, but the `django.template.context_processors.csp context
processor` is not configured. The nonce will appear in the response header
but not in rendered templates, so nonce-based protection will not take
effect. Add "django.template.context_processors.csp" to the
context_processors option of at least one Django template engine.
--
Ticket URL: <https://code.djangoproject.com/ticket/37084>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

[Django]

#37084: Add system check for CSP nonce policy without csp context processor

--------------------------------------+------------------------------------
Reporter: Rob Hudson | Owner: (none)

Type: New feature | Status: new
Component: Core (System checks) | Version: 6.0

Severity: Normal | Resolution:
Keywords: csp nonce | Triage Stage: Accepted

Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

--------------------------------------+------------------------------------
Changes (by Natalia Bidart):

* keywords: => csp nonce
* stage: Unreviewed => Accepted


Old description:

> When a project enables `ContentSecurityPolicyMiddleware` and includes
> `CSP.NONCE` in its policy, but does not configure the
> `django.template.context_processors.csp` context processor in
> `TEMPLATES`, the result is a silent security misconfiguration. The
> developer has the security of a non-nonce policy while believing they
> have nonce-based protection.
>
> Proposed check:
>
> Register a new security check that emits a Warning (or Error) when all of
> the following hold:
> 1. `django.middleware.csp.ContentSecurityPolicyMiddleware` is in the
> middleware
> 2. At least one configured policy contains `CSP.NONCE` as a source value
> 3. No Django template engine in `TEMPLATES` lists
> `django.template.context_processors.csp`
>
> Possible message:
> Your CSP policy includes `CSP.NONCE` and
> `ContentSecurityPolicyMiddleware` is enabled, but the
> `django.template.context_processors.csp context processor` is not
> configured. The nonce will appear in the response header but not in
> rendered templates, so nonce-based protection will not take effect. Add
> "django.template.context_processors.csp" to the context_processors option
> of at least one Django template engine.

New description:

When a project enables `ContentSecurityPolicyMiddleware` and includes
`CSP.NONCE` in its policy, but does not configure the
`django.template.context_processors.csp` context processor in `TEMPLATES`,
the result is a silent security misconfiguration. The developer has the
security of a non-nonce policy while believing they have nonce-based
protection.

Proposed check:

Register a new security check that emits a Warning (or Error) when all of
the following hold:
1. `django.middleware.csp.ContentSecurityPolicyMiddleware` is in the
middleware
2. At least one configured policy contains `CSP.NONCE` as a source value
3. No Django template engine in `TEMPLATES` lists
`django.template.context_processors.csp`

Possible message:
Your CSP policy includes `CSP.NONCE` and `ContentSecurityPolicyMiddleware`
is enabled, but the `django.template.context_processors.csp` context
processor is not configured. The nonce will appear in the response header
but not in rendered templates, so nonce-based protection will not take
effect. Add "django.template.context_processors.csp" to the
context_processors option of at least one Django template engine.

--

Comment:

Thank you Rob!
--
Ticket URL: <https://code.djangoproject.com/ticket/37084#comment:1>

[Django]

#37084: Add system check for CSP nonce policy without csp context processor

-------------------------------------+-------------------------------------
Reporter: Rob Hudson | Owner:
| MiladZarour
Type: New feature | Status: assigned
Component: Core (System | Version: 6.0
checks) |

Severity: Normal | Resolution:
Keywords: csp nonce | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

-------------------------------------+-------------------------------------
Changes (by MiladZarour):

* owner: (none) => MiladZarour
* status: new => assigned

Comment:

I’d like to work on this ticket.
--
Ticket URL: <https://code.djangoproject.com/ticket/37084#comment:2>

[Django]

#37084: Add system check for CSP nonce policy without csp context processor
-------------------------------------+-------------------------------------
Reporter: Rob Hudson | Owner:
| MiladZarour
Type: New feature | Status: assigned
Component: Core (System | Version: 6.0
checks) |
Severity: Normal | Resolution:
Keywords: csp nonce | Triage Stage: Accepted

Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by MiladZarour):

* has_patch: 0 => 1

Comment:

[https://github.com/django/django/pull/21230 PR]
--
Ticket URL: <https://code.djangoproject.com/ticket/37084#comment:3>

[Django]

#37084: Add system check for CSP nonce policy without csp context processor
-------------------------------------+-------------------------------------
Reporter: Rob Hudson | Owner: Milad
| Zarour
Type: New feature | Status: assigned
Component: Core (System | Version: 6.0
checks) |
Severity: Normal | Resolution:
Keywords: csp nonce | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 1

Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by Jacob Walls):

* needs_better_patch: 0 => 1

--
Ticket URL: <https://code.djangoproject.com/ticket/37084#comment:4>

[Django]

#37084: Add system check for CSP nonce policy without csp context processor
-------------------------------------+-------------------------------------
Reporter: Rob Hudson | Owner: Milad
| Zarour
Type: New feature | Status: assigned
Component: Core (System | Version: 6.0
checks) |
Severity: Normal | Resolution:
Keywords: csp nonce | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by Milad Zarour):

* needs_better_patch: 1 => 0

Comment:

Updated PR 21230 to address review comments:
- Handle iterable CSP directive values, including frozenset.
- Allow django.template.context_processors.csp on any template backend
with context_processors configured.
- Moved the release note under the CSP section.

Tests:
- python tests/runtests.py check_framework.test_security
- Ran 76 tests successfully, with 1 skipped.
--
Ticket URL: <https://code.djangoproject.com/ticket/37084#comment:5>

[Django]

#37084: Add system check for CSP nonce policy without csp context processor
-------------------------------------+-------------------------------------
Reporter: Rob Hudson | Owner: Milad
| Zarour
Type: New feature | Status: assigned
Component: Core (System | Version: 6.0
checks) |
Severity: Normal | Resolution:

Keywords: csp nonce | Triage Stage: Ready for
| checkin

Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by Jacob Walls):

* stage: Accepted => Ready for checkin

--
Ticket URL: <https://code.djangoproject.com/ticket/37084#comment:6>

[Django]

#37084: Add system check for CSP nonce policy without csp context processor
-------------------------------------+-------------------------------------
Reporter: Rob Hudson | Owner: Milad
| Zarour
Type: New feature | Status: assigned
Component: Core (System | Version: 6.0
checks) |
Severity: Normal | Resolution:
Keywords: csp nonce | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 1

Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by Johannes Maron):

* needs_better_patch: 0 => 1

--
Ticket URL: <https://code.djangoproject.com/ticket/37084#comment:7>

[Django]

#37084: Add system check for CSP nonce policy without csp context processor
-------------------------------------+-------------------------------------
Reporter: Rob Hudson | Owner: Milad
| Zarour
Type: New feature | Status: assigned
Component: Core (System | Version: 6.0
checks) |
Severity: Normal | Resolution:

Keywords: csp nonce | Triage Stage: Accepted

Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by Jacob Walls):

* stage: Ready for checkin => Accepted

--
Ticket URL: <https://code.djangoproject.com/ticket/37084#comment:8>

[Django]

#37084: Add system check for CSP nonce policy without csp context processor
-------------------------------------+-------------------------------------
Reporter: Rob Hudson | Owner: Milad
| Zarour
Type: New feature | Status: assigned
Component: Core (System | Version: 6.0
checks) |
Severity: Normal | Resolution:
Keywords: csp nonce | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by Milad Zarour):

* needs_better_patch: 1 => 0

Comment:

Updated PR 21230 to address the latest review comments:

- Resolved conflicts with main in docs/ref/checks.txt and
docs/releases/6.1.txt.
- Moved security.W027 to the non-deploy security checks section.
- Updated the warning wording to use “Content Security Policy”.
- Updated CSP.NONCE detection to use EAFP-style checks around
policy.values() and directive value membership.
- Kept the context processor check as “any backend” to avoid false
positives for projects with separate template backends.

Tests:
- python -m black --check django/core/checks/security/base.py
tests/check_framework/test_security.py
- python -m flake8 django/core/checks/security/base.py
tests/check_framework/test_security.py

- python tests/runtests.py check_framework.test_security
- Ran 76 tests successfully, with 1 skipped.

- git diff --check
--
Ticket URL: <https://code.djangoproject.com/ticket/37084#comment:9>

[Django]

#37084: Add system check for CSP nonce policy without csp context processor
-------------------------------------+-------------------------------------
Reporter: Rob Hudson | Owner: Milad
| Zarour
Type: New feature | Status: assigned
Component: Core (System | Version: 6.0
checks) |
Severity: Normal | Resolution:

Keywords: csp nonce | Triage Stage: Ready for
| checkin

Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by Johannes Maron):

* stage: Accepted => Ready for checkin

--
Ticket URL: <https://code.djangoproject.com/ticket/37084#comment:10>

[Django]

#37084: Add system check for CSP nonce policy without csp context processor
-------------------------------------+-------------------------------------
Reporter: Rob Hudson | Owner: Milad
| Zarour

Type: New feature | Status: closed

Component: Core (System | Version: 6.0
checks) |

Severity: Normal | Resolution: fixed

Keywords: csp nonce | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by Jacob Walls <jacobtylerwalls@…>):

* resolution: => fixed
* status: assigned => closed

Comment:

In [changeset:"62fa9b8976b9fd74440e9f97c0744feaf3165dc9" 62fa9b8]:
{{{#!CommitTicketReference repository=""
revision="62fa9b8976b9fd74440e9f97c0744feaf3165dc9"
Fixed #37084 -- Added CSP nonce context processor system check.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/37084#comment:11>