in csp/checks.py [0:0]
def check_exclude_url_prefixes_is_not_string(app_configs: Sequence[AppConfig] | None, **kwargs: Any) -> list[Error]:
"""
Check that EXCLUDE_URL_PREFIXES in settings is not a string.
If it is a string it can lead to a security issue where the string is treated as a list of
characters, resulting in '/' matching all paths excluding the CSP header from all responses.
"""
# Skip check for django-csp < 4.0.
if Version(version("django-csp")) < Version("4.0a1"):
return []
errors = []
keys = (
"CONTENT_SECURITY_POLICY",
"CONTENT_SECURITY_POLICY_REPORT_ONLY",
)
for key in keys:
config = getattr(settings, key, {})
if isinstance(config, dict) and isinstance(config.get("EXCLUDE_URL_PREFIXES"), str):
errors.append(
Error(
f"EXCLUDE_URL_PREFIXES in {key} settings must be a list or tuple.",
id="csp.E002",
)
)
return errors