from __future__ import annotations
import copy
import re
from itertools import chain
from typing import Any, Callable
from django.conf import settings
from django.utils.encoding import force_str
from csp.constants import NONCE, SELF
DEFAULT_DIRECTIVES = {
# Fetch Directives
"child-src": None,
"connect-src": None,
"default-src": [SELF],
"script-src": None,
"script-src-attr": None,
"script-src-elem": None,
"object-src": None,
"style-src": None,
"style-src-attr": None,
"style-src-elem": None,
"font-src": None,
"frame-src": None,
"img-src": None,
"manifest-src": None,
"media-src": None,
"prefetch-src": None, # Deprecated.
# Document Directives
"base-uri": None,
"plugin-types": None, # Deprecated.
"sandbox": None,
# Navigation Directives
"form-action": None,
"frame-ancestors": None,
"navigate-to": None,
# Reporting Directives
"report-uri": None,
"report-to": None,
"require-sri-for": None,
# Trusted Types Directives
"require-trusted-types-for": None,
"trusted-types": None,
# Other Directives
"webrtc": None,
"worker-src": None,
# Directives Defined in Other Documents
"upgrade-insecure-requests": False,
"block-all-mixed-content": False, # Deprecated.
}
DIRECTIVES_T = dict[str, Any]
def default_config(csp: DIRECTIVES_T | None) -> DIRECTIVES_T | None:
if csp is None:
return None
# Make a copy of the passed in config to avoid mutating it, and also to drop any unknown keys.
config = {}
for key, value in DEFAULT_DIRECTIVES.items():
config[key] = csp.get(key, value)
return config
def build_policy(
config: DIRECTIVES_T | None = None,
update: DIRECTIVES_T | None = None,
replace: DIRECTIVES_T | None = None,
nonce: str | None = None,
report_only: bool = False,
) -> str:
"""Builds the policy as a string from the settings."""
if config is None:
if report_only:
config = getattr(settings, "CONTENT_SECURITY_POLICY_REPORT_ONLY", {})
config = default_config(config.get("DIRECTIVES", {})) if config else None
else:
config = getattr(settings, "CONTENT_SECURITY_POLICY", {})
config = default_config(config.get("DIRECTIVES", {})) if config else None
# If config is still `None`, return empty policy.
if config is None:
return ""
update = update if update is not None else {}
replace = replace if replace is not None else {}
csp = {}
for k in set(chain(config, replace)):
if k in replace:
v = replace[k]
else:
v = config[k]
if v is not None:
v = copy.copy(v)
if isinstance(v, set):
v = sorted(v)
if not isinstance(v, (list, tuple)):
v = (v,)
csp[k] = v
for k, v in update.items():
if v is not None:
v = copy.copy(v)
if isinstance(v, set):
v = sorted(v)
if not isinstance(v, (list, tuple)):
v = (v,)
if csp.get(k) is None:
csp[k] = v
else:
csp[k] += tuple(v)
report_uri = csp.pop("report-uri", None)
policy_parts = {}
for key, value in csp.items():
# Check for boolean directives.
if len(value) == 1 and isinstance(value[0], bool):
if value[0] is True:
policy_parts[key] = ""
continue
if NONCE in value:
if nonce:
value = [f"'nonce-{nonce}'" if v == NONCE else v for v in value]
else:
# Strip the `NONCE` sentinel value if no nonce is provided.
value = [v for v in value if v != NONCE]
value = list(dict.fromkeys(value)) # Deduplicate
policy_parts[key] = " ".join(value)
if report_uri:
report_uri = map(force_str, report_uri)
policy_parts["report-uri"] = " ".join(report_uri)
return "; ".join([f"{k} {val}".strip() for k, val in policy_parts.items()])
def _default_attr_mapper(attr_name: str, val: str) -> str:
if val:
return f' {attr_name}="{val}"'
else:
return ""
def _bool_attr_mapper(attr_name: str, val: bool) -> str:
# Only return the bare word if the value is truthy
# ie - defer=False should actually return an empty string
if val:
return f" {attr_name}"
else:
return ""
def _async_attr_mapper(attr_name: str, val: str | bool) -> str:
"""The `async` attribute works slightly different than the other bool
attributes. It can be set explicitly to `false` with no surrounding quotes
according to the spec."""
if val in [False, "False"]:
return f" {attr_name}=false"
elif val:
return f" {attr_name}"
else:
return ""
# Allow per-attribute customization of returned string template
SCRIPT_ATTRS: dict[str, Callable[[str, Any], str]] = {
"nonce": _default_attr_mapper,
"id": _default_attr_mapper,
"src": _default_attr_mapper,
"type": _default_attr_mapper,
"async": _async_attr_mapper,
"defer": _bool_attr_mapper,
"integrity": _default_attr_mapper,
"nomodule": _bool_attr_mapper,
}
# Generates an interpolatable string of valid attrs eg - '{nonce}{id}...'
ATTR_FORMAT_STR = "".join([f"{{{a}}}" for a in SCRIPT_ATTRS])
_script_tag_contents_re = re.compile(
r""" # match the closing script tag
""",
re.VERBOSE,
)
def _unwrap_script(text: str) -> str:
"""Extract content defined between script tags"""
matches = re.search(_script_tag_contents_re, text)
if matches and len(matches.groups()):
return matches.group(1).strip()
return text
def build_script_tag(content: str | None = None, **kwargs: Any) -> str:
data = {}
# Iterate all possible script attrs instead of kwargs to make
# interpolation as easy as possible below
for attr_name, mapper in SCRIPT_ATTRS.items():
data[attr_name] = mapper(attr_name, kwargs.get(attr_name))
# Don't render block contents if the script has a 'src' attribute
c = _unwrap_script(content) if content and not kwargs.get("src") else ""
attrs = ATTR_FORMAT_STR.format(**data).rstrip()
return f"{c}".strip()