Refactor on csp_nonce usage with django-csp (#2088)

* Consolidate csp_nonce usages to a single property on the toolbar.

This refactors how the CSP nonce is fetched. It's now done as
a toolbar property and wraps the attribute request.csp_nonce

* Add csp to our words list.

* Unpin django-csp for tests.

Author: tim-schilling

debug_toolbar/templates/debug_toolbar/base.html

@@ -1,10 +1,10 @@
 {% load i18n static %}
 {% block css %}
-<link{% if toolbar.request.csp_nonce %} nonce="{{ toolbar.request.csp_nonce }}"{% endif %} rel="stylesheet" href="{% static 'debug_toolbar/css/print.css' %}" media="print">
-<link{% if toolbar.request.csp_nonce %} nonce="{{ toolbar.request.csp_nonce }}"{% endif %} rel="stylesheet" href="{% static 'debug_toolbar/css/toolbar.css' %}">
+<link{% if toolbar.csp_nonce %} nonce="{{ toolbar.csp_nonce }}"{% endif %} rel="stylesheet" href="{% static 'debug_toolbar/css/print.css' %}" media="print">
+<link{% if toolbar.csp_nonce %} nonce="{{ toolbar.csp_nonce }}"{% endif %} rel="stylesheet" href="{% static 'debug_toolbar/css/toolbar.css' %}">
 {% endblock %}
 {% block js %}
-<script{% if toolbar.request.csp_nonce %} nonce="{{ toolbar.request.csp_nonce }}"{% endif %} type="module" src="{% static 'debug_toolbar/js/toolbar.js' %}" async></script>
+<script{% if toolbar.csp_nonce %} nonce="{{ toolbar.csp_nonce }}"{% endif %} type="module" src="{% static 'debug_toolbar/js/toolbar.js' %}" async></script>
 {% endblock %}
 <div id="djDebug" class="djdt-hidden" dir="ltr"
      {% if not toolbar.should_render_panels %}

debug_toolbar/templates/debug_toolbar/includes/panel_content.html

@@ -8,7 +8,7 @@ <h3>{{ panel.title }}</h3>
     </div>
     <div class="djDebugPanelContent">
       {% if toolbar.should_render_panels %}
-        {% for script in panel.scripts %}<script{% if toolbar.request.csp_nonce %} nonce="{{ toolbar.request.csp_nonce }}"{% endif %} type="module" src="{{ script }}" async></script>{% endfor %}
+        {% for script in panel.scripts %}<script{% if toolbar.csp_nonce %} nonce="{{ toolbar.csp_nonce }}"{% endif %} type="module" src="{{ script }}" async></script>{% endfor %}
         <div class="djdt-scroll">{{ panel.content }}</div>
       {% else %}
         <div class="djdt-loader"></div>

debug_toolbar/templates/debug_toolbar/redirect.html

@@ -3,7 +3,7 @@
 <html lang="en">
   <head>
     <title>Django Debug Toolbar Redirects Panel: {{ status_line }}</title>
-    <script{% if toolbar.request.csp_nonce %} nonce="{{ toolbar.request.csp_nonce }}"{% endif %} type="module" src="{% static 'debug_toolbar/js/redirect.js' %}" async></script>
+    <script{% if toolbar.csp_nonce %} nonce="{{ toolbar.csp_nonce }}"{% endif %} type="module" src="{% static 'debug_toolbar/js/redirect.js' %}" async></script>
   </head>
   <body>
     <h1>{{ status_line }}</h1>

debug_toolbar/toolbar.py

@@ -65,6 +65,16 @@ def enabled_panels(self):
         """
         return [panel for panel in self._panels.values() if panel.enabled]
 
+    @property
+    def csp_nonce(self):
+        """
+        Look up the Content Security Policy nonce if there is one.
+
+        This is built specifically for django-csp, which may not always
+        have a nonce associated with the request.
+        """
+        return getattr(self.request, "csp_nonce", None)
+
     def get_panel_by_id(self, panel_id):
         """
         Get the panel with the given id, which is the class name by default.

docs/changes.rst

@@ -18,6 +18,8 @@ Pending
 * Avoided a "forked" Promise chain in the rebound ``window.fetch`` function
   with missing exception handling.
 * Fixed the pygments code highlighting when using dark mode.
+* Fix for exception-unhandled "forked" Promise chain in rebound window.fetch
+* Create a CSP nonce property on the toolbar ``Toolbar().csp_nonce``.
 
 5.0.1 (2025-01-13)
 ------------------

docs/spelling_wordlist.txt

@@ -16,6 +16,7 @@ backported
 biome
 checkbox
 contrib
+csp
 dicts
 django
 fallbacks

tests/test_csp_rendering.py

@@ -13,6 +13,13 @@
 
 from .base import IntegrationTestCase
 
+MIDDLEWARE_CSP_BEFORE = settings.MIDDLEWARE.copy()
+MIDDLEWARE_CSP_BEFORE.insert(
+    MIDDLEWARE_CSP_BEFORE.index("debug_toolbar.middleware.DebugToolbarMiddleware"),
+    "csp.middleware.CSPMiddleware",
+)
+MIDDLEWARE_CSP_LAST = settings.MIDDLEWARE + ["csp.middleware.CSPMiddleware"]
+
 
 def get_namespaces(element: Element) -> dict[str, str]:
     """
@@ -63,70 +70,97 @@ def _fail_on_invalid_html(self, content: bytes, parser: HTMLParser):
             msg = self._formatMessage(None, "\n".join(default_msg))
             raise self.failureException(msg)
 
-    @override_settings(
-        MIDDLEWARE=settings.MIDDLEWARE + ["csp.middleware.CSPMiddleware"]
-    )
     def test_exists(self):
         """A `nonce` should exist when using the `CSPMiddleware`."""
-        response = cast(HttpResponse, self.client.get(path="/regular/basic/"))
-        self.assertEqual(response.status_code, 200)
-
-        html_root: Element = self.parser.parse(stream=response.content)
-        self._fail_on_invalid_html(content=response.content, parser=self.parser)
-        self.assertContains(response, "djDebug")
-
-        namespaces = get_namespaces(element=html_root)
-        toolbar = list(DebugToolbar._store.values())[0]
-        nonce = str(toolbar.request.csp_nonce)
-        self._fail_if_missing(
-            root=html_root, path=".//link", namespaces=namespaces, nonce=nonce
-        )
-        self._fail_if_missing(
-            root=html_root, path=".//script", namespaces=namespaces, nonce=nonce
-        )
+        for middleware in [MIDDLEWARE_CSP_BEFORE, MIDDLEWARE_CSP_LAST]:
+            with self.settings(MIDDLEWARE=middleware):
+                response = cast(HttpResponse, self.client.get(path="/csp_view/"))
+                self.assertEqual(response.status_code, 200)
+
+                html_root: Element = self.parser.parse(stream=response.content)
+                self._fail_on_invalid_html(content=response.content, parser=self.parser)
+                self.assertContains(response, "djDebug")
+
+                namespaces = get_namespaces(element=html_root)
+                toolbar = list(DebugToolbar._store.values())[-1]
+                nonce = str(toolbar.csp_nonce)
+                self._fail_if_missing(
+                    root=html_root, path=".//link", namespaces=namespaces, nonce=nonce
+                )
+                self._fail_if_missing(
+                    root=html_root, path=".//script", namespaces=namespaces, nonce=nonce
+                )
+
+    def test_does_not_exist_nonce_wasnt_used(self):
+        """
+        A `nonce` should not exist even when using the `CSPMiddleware`
+        if the view didn't access the request.csp_nonce attribute.
+        """
+        for middleware in [MIDDLEWARE_CSP_BEFORE, MIDDLEWARE_CSP_LAST]:
+            with self.settings(MIDDLEWARE=middleware):
+                response = cast(HttpResponse, self.client.get(path="/regular/basic/"))
+                self.assertEqual(response.status_code, 200)
+
+                html_root: Element = self.parser.parse(stream=response.content)
+                self._fail_on_invalid_html(content=response.content, parser=self.parser)
+                self.assertContains(response, "djDebug")
+
+                namespaces = get_namespaces(element=html_root)
+                self._fail_if_found(
+                    root=html_root, path=".//link", namespaces=namespaces
+                )
+                self._fail_if_found(
+                    root=html_root, path=".//script", namespaces=namespaces
+                )
 
     @override_settings(
         DEBUG_TOOLBAR_CONFIG={"DISABLE_PANELS": set()},
-        MIDDLEWARE=settings.MIDDLEWARE + ["csp.middleware.CSPMiddleware"],
     )
     def test_redirects_exists(self):
-        response = cast(HttpResponse, self.client.get(path="/regular/basic/"))
-        self.assertEqual(response.status_code, 200)
+        for middleware in [MIDDLEWARE_CSP_BEFORE, MIDDLEWARE_CSP_LAST]:
+            with self.settings(MIDDLEWARE=middleware):
+                response = cast(HttpResponse, self.client.get(path="/csp_view/"))
+                self.assertEqual(response.status_code, 200)
+
+                html_root: Element = self.parser.parse(stream=response.content)
+                self._fail_on_invalid_html(content=response.content, parser=self.parser)
+                self.assertContains(response, "djDebug")
+
+                namespaces = get_namespaces(element=html_root)
+                context: ContextList = response.context  # pyright: ignore[reportAttributeAccessIssue]
+                nonce = str(context["toolbar"].csp_nonce)
+                self._fail_if_missing(
+                    root=html_root, path=".//link", namespaces=namespaces, nonce=nonce
+                )
+                self._fail_if_missing(
+                    root=html_root, path=".//script", namespaces=namespaces, nonce=nonce
+                )
 
-        html_root: Element = self.parser.parse(stream=response.content)
-        self._fail_on_invalid_html(content=response.content, parser=self.parser)
-        self.assertContains(response, "djDebug")
-
-        namespaces = get_namespaces(element=html_root)
-        context: ContextList = response.context  # pyright: ignore[reportAttributeAccessIssue]
-        nonce = str(context["toolbar"].request.csp_nonce)
-        self._fail_if_missing(
-            root=html_root, path=".//link", namespaces=namespaces, nonce=nonce
-        )
-        self._fail_if_missing(
-            root=html_root, path=".//script", namespaces=namespaces, nonce=nonce
-        )
-
-    @override_settings(
-        MIDDLEWARE=settings.MIDDLEWARE + ["csp.middleware.CSPMiddleware"]
-    )
     def test_panel_content_nonce_exists(self):
-        response = cast(HttpResponse, self.client.get(path="/regular/basic/"))
-        self.assertEqual(response.status_code, 200)
-
-        toolbar = list(DebugToolbar._store.values())[0]
-        panels_to_check = ["HistoryPanel", "TimerPanel"]
-        for panel in panels_to_check:
-            content = toolbar.get_panel_by_id(panel).content
-            html_root: Element = self.parser.parse(stream=content)
-            namespaces = get_namespaces(element=html_root)
-            nonce = str(toolbar.request.csp_nonce)
-            self._fail_if_missing(
-                root=html_root, path=".//link", namespaces=namespaces, nonce=nonce
-            )
-            self._fail_if_missing(
-                root=html_root, path=".//script", namespaces=namespaces, nonce=nonce
-            )
+        for middleware in [MIDDLEWARE_CSP_BEFORE, MIDDLEWARE_CSP_LAST]:
+            with self.settings(MIDDLEWARE=middleware):
+                response = cast(HttpResponse, self.client.get(path="/csp_view/"))
+                self.assertEqual(response.status_code, 200)
+
+                toolbar = list(DebugToolbar._store.values())[-1]
+                panels_to_check = ["HistoryPanel", "TimerPanel"]
+                for panel in panels_to_check:
+                    content = toolbar.get_panel_by_id(panel).content
+                    html_root: Element = self.parser.parse(stream=content)
+                    namespaces = get_namespaces(element=html_root)
+                    nonce = str(toolbar.csp_nonce)
+                    self._fail_if_missing(
+                        root=html_root,
+                        path=".//link",
+                        namespaces=namespaces,
+                        nonce=nonce,
+                    )
+                    self._fail_if_missing(
+                        root=html_root,
+                        path=".//script",
+                        namespaces=namespaces,
+                        nonce=nonce,
+                    )
 
     def test_missing(self):
         """A `nonce` should not exist when not using the `CSPMiddleware`."""

tests/urls.py

@@ -25,6 +25,7 @@
     path("redirect/", views.redirect_view),
     path("ajax/", views.ajax_view),
     path("login_without_redirect/", LoginView.as_view(redirect_field_name=None)),
+    path("csp_view/", views.csp_view),
     path("admin/", admin.site.urls),
     path("__debug__/", include("debug_toolbar.urls")),
 ]

tests/views.py

@@ -42,6 +42,11 @@ def regular_view(request, title):
     return render(request, "basic.html", {"title": title})
 
 
+def csp_view(request):
+    """Use request.csp_nonce to inject it into the headers"""
+    return render(request, "basic.html", {"title": f"CSP {request.csp_nonce}"})
+
+
 def template_response_view(request, title):
     return TemplateResponse(request, "basic.html", {"title": title})
 

tox.ini

@@ -25,7 +25,7 @@ deps =
     pygments
     selenium>=4.8.0
     sqlparse
-    django-csp<4
+    django-csp
 passenv=
     CI
     COVERAGE_ARGS