[Django] #36831: Add validation for CSP directive names and values in build_policy()
1 view
Skip to first unread message
Django
Dec 26, 2025, 3:06:58 PM (3 days ago) Dec 26
to django-...@googlegroups.com
#36831: Add validation for CSP directive names and values in build_policy()
-------------------------------------+-------------------------------------
Reporter: naveedqadir | Type:
| Cleanup/optimization
Status: new | Component: Utilities
Version: 6.0 | Severity: Normal
Keywords: | Triage Stage:
| Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
The `build_policy()` function in `django/utils/csp.py` does not validate
directive names or values, allowing malformed CSP policies to be
generated.
== Problem ==
CSP policies use semicolons to separate directives. If a directive name or
value contains a semicolon (e.g., from a misconfiguration), it can result
in a malformed policy:
{{{#!python
from django.utils.csp import build_policy, CSP
# This produces a malformed CSP header
policy = {"script-src": ["https://good.com; report-uri https://evil.com"]}
build_policy(policy)
# Returns: "script-src https://good.com; report-uri https://evil.com"
# The semicolon splits what should be one directive into two!
}}}
While this requires developer misconfiguration (not user input), it's a
hardening improvement to catch these errors early with a clear error
message rather than silently producing invalid policies.
== Solution ==
Add validation to `build_policy()` that raises `ValueError` if:
- Directive names contain semicolons, `\r`, or `\n`
- Values contain semicolons
The error messages guide developers to use proper list syntax for multiple
values.
== Patch ==
A patch with tests is ready and will be submitted as a PR.
--
Ticket URL: <https://code.djangoproject.com/ticket/36831>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
-------------------------------------+-------------------------------------
Reporter: naveedqadir | Type:
| Cleanup/optimization
Status: new | Component: Utilities
Version: 6.0 | Severity: Normal
Keywords: | Triage Stage:
| Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
The `build_policy()` function in `django/utils/csp.py` does not validate
directive names or values, allowing malformed CSP policies to be
generated.
== Problem ==
CSP policies use semicolons to separate directives. If a directive name or
value contains a semicolon (e.g., from a misconfiguration), it can result
in a malformed policy:
{{{#!python
from django.utils.csp import build_policy, CSP
# This produces a malformed CSP header
policy = {"script-src": ["https://good.com; report-uri https://evil.com"]}
build_policy(policy)
# Returns: "script-src https://good.com; report-uri https://evil.com"
# The semicolon splits what should be one directive into two!
}}}
While this requires developer misconfiguration (not user input), it's a
hardening improvement to catch these errors early with a clear error
message rather than silently producing invalid policies.
== Solution ==
Add validation to `build_policy()` that raises `ValueError` if:
- Directive names contain semicolons, `\r`, or `\n`
- Values contain semicolons
The error messages guide developers to use proper list syntax for multiple
values.
== Patch ==
A patch with tests is ready and will be submitted as a PR.
--
Ticket URL: <https://code.djangoproject.com/ticket/36831>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Dec 26, 2025, 4:50:47 PM (3 days ago) Dec 26
to django-...@googlegroups.com
#36831: Add validation for CSP directive names and values in build_policy()
-------------------------------------+-------------------------------------
Reporter: Naveed Qadir | Owner: Naveed
-------------------------------------+-------------------------------------
Type: | Qadir
Cleanup/optimization | Status: assigned
Component: Utilities | Version: 6.0
Severity: Normal | Resolution:
Keywords: csp,validation | Triage Stage:
| Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Naveed Qadir):
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* keywords: => csp,validation
* owner: (none) => Naveed Qadir
* status: new => assigned
Old description:
The `build_policy()` function in `django/utils/csp.py` does not validate
directive names or values, allowing malformed CSP policies to be
generated.
== Problem ==
CSP policies use semicolons to separate directives. If a directive name or
value contains a semicolon (e.g., from a misconfiguration), it can result
in a malformed policy:
{{{#!python
from django.utils.csp import build_policy, CSP
# This produces a malformed CSP header
policy = {"script-src": ["https://good.com; report-uri https://evil.com"]}
build_policy(policy)
# Returns: "script-src https://good.com; report-uri https://evil.com"
# The semicolon splits what should be one directive into two!
}}}
While this requires developer misconfiguration (not user input), it's a
hardening improvement to catch these errors early with a clear error
message rather than silently producing invalid policies.
== Solution ==
Add validation to `build_policy()` that raises `ValueError` if:
- Directive names contain semicolons, `\r`, or `\n`
- Values contain semicolons
The error messages guide developers to use proper list syntax for multiple
values.
== Patch ==
--
--
Ticket URL: <https://code.djangoproject.com/ticket/36831#comment:1>
Django
3:05 PM (5 hours ago) 3:05 PM
to django-...@googlegroups.com
#36831: Add validation for CSP directive names and values in build_policy()
-------------------------------------+-------------------------------------
Reporter: Naveed Qadir | Owner: Naveed
Type: | Qadir
Cleanup/optimization | Status: closed
-------------------------------------+-------------------------------------
Reporter: Naveed Qadir | Owner: Naveed
Type: | Qadir
Component: Utilities | Version: 6.0
Severity: Normal | Resolution: wontfix
Keywords: csp,validation | Triage Stage:
| Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Jacob Walls):
| Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* resolution: => wontfix
* status: assigned => closed
Comment:
Thanks for the ticket, but I don't think this brings enough value to work
on. There's developer feedback in browser dev tools already for invalid
policies:
{{{
98:1 Unrecognized Content-Security-Policy directive 'foo'.
}}}
And I'm not certain some of the proposed validations aren't technically
valid somehow.
What are your motivations for opening this report?
--
Ticket URL: <https://code.djangoproject.com/ticket/36831#comment:2>
Django
3:27 PM (4 hours ago) 3:27 PM
to django-...@googlegroups.com
#36831: Add validation for CSP directive names and values in build_policy()
-------------------------------------+-------------------------------------
Reporter: Naveed Qadir | Owner: Naveed
Type: | Qadir
Cleanup/optimization | Status: closed
Component: Utilities | Version: 6.0
Severity: Normal | Resolution: wontfix
Keywords: csp,validation | Triage Stage:
| Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Naveed Qadir):
-------------------------------------+-------------------------------------
Reporter: Naveed Qadir | Owner: Naveed
Type: | Qadir
Cleanup/optimization | Status: closed
Component: Utilities | Version: 6.0
Severity: Normal | Resolution: wontfix
Keywords: csp,validation | Triage Stage:
| Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Thanks for reviewing, Jacob. I understand the concern about adding
validation that might be overly restrictive.
My motivation was to catch developer errors earlier in the development
cycle (during testing/local development) rather than requiring manual
inspection of browser console logs. The specific scenario: developer
misconfigures CSP with embedded semicolons → Django silently generates
malformed policy → browser partially applies it, security gaps may go
unnoticed.
Regarding technical validity: semicolons in directive names are
definitively invalid per the [CSP Level 3 spec](https://www.w3.org/TR/CSP3
/#grammardef-serialized-policy), which defines directive names as tokens
that cannot contain semicolons (reserved as directive separators).
If there's interest in a minimal approach validating only directive names
against the spec's well-defined grammar, I'm happy to revise. Otherwise, I
understand closing as wontfix.
Replying to [comment:2 Jacob Walls]:
> Thanks for the ticket, but I don't think this brings enough value to
work on. There's developer feedback in browser dev tools already for
invalid policies:
>
> {{{
> 98:1 Unrecognized Content-Security-Policy directive 'foo'.
> }}}
>
> And I'm not certain some of the proposed validations aren't technically
valid somehow.
>
> What are your motivations for opening this report?
--
Ticket URL: <https://code.djangoproject.com/ticket/36831#comment:3>
work on. There's developer feedback in browser dev tools already for
invalid policies:
>
> {{{
> 98:1 Unrecognized Content-Security-Policy directive 'foo'.
> }}}
>
> And I'm not certain some of the proposed validations aren't technically
valid somehow.
>
> What are your motivations for opening this report?
--
Reply all
Reply to author
Forward
0 new messages