Configuration Format: Moved to dict-based configuration which allows for setting policies for
both enforced and report-only. Instead of using individual settings with CSP_ prefixes, you now
use dictionaries called CONTENT_SECURITY_POLICY and/or CONTENT_SECURITY_POLICY_REPORT_ONLY.
(#219)

You can use Django's check command to automatically identify existing CSP settings and generate a
template for the new configuration format:
```
python manage.py check
```
This will detect your old CSP_ prefixed settings and output a draft of the new dict-based
configuration, giving you a starting point for migration.

Example:

Change from:
```
CSP_DEFAULT_SRC = ["'self'", "*.example.com"]
CSP_SCRIPT_SRC = ["'self'", "js.cdn.com/example/"]
CSP_IMG_SRC = ["'self'", "data:", "example.com"]
CSP_EXCLUDE_URL_PREFIXES = ["/admin"]
```
to:
```
from csp.constants import SELF

CONTENT_SECURITY_POLICY = {
    "DIRECTIVES": {
        "default-src": [SELF, "*.example.com"],
        "script-src": [SELF, "js.cdn.com/example/"],
        "img-src": [SELF, "data:", "example.com"],
    },
    "EXCLUDE_URL_PREFIXES": ["/admin"],
}
```

Nonce Configuration: Switched from specifying directives that should contain nonces as a
separate list to using a sentinel NONCE value in the directive itself.
(#223)

Example:

Change from:

CSP_INCLUDE_NONCE_IN = ['script-src', 'style-src']

to:

from csp.constants import NONCE, SELF

CONTENT_SECURITY_POLICY = {
    "DIRECTIVES": {
        "script-src": [SELF, NONCE],
        "style-src": [SELF, NONCE],
    }
}

Nonce Behavior: Changed how request.csp_nonce works - it is now Falsy
(bool(request.csp_nonce)) until it is read as a string (e.g., used in a template or with
str(request.csp_nonce)). Previously, it always tested as True, and testing generated the nonce.
(#270)

Before:

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [django-csp](https://github.com/mozilla/django-csp) ([changelog](https://github.com/mozilla/django-csp/blob/main/CHANGES.md)) | dependencies | major | `3.8` -> `4.0` | --- ### Release Notes <details> <summary>mozilla/django-csp (django-csp)</summary> ### [`v4.0`](https://github.com/mozilla/django-csp/blob/HEAD/CHANGES.md#40) [Compare Source](https://github.com/mozilla/django-csp/compare/3.8...v4.0) \=== This release contains several breaking changes. For a complete migration guide, see: https://django-csp.readthedocs.io/en/latest/migration-guide.html #### Breaking Changes - **Configuration Format**: Moved to dict-based configuration which allows for setting policies for both enforced and report-only. Instead of using individual settings with `CSP_` prefixes, you now use dictionaries called `CONTENT_SECURITY_POLICY` and/or `CONTENT_SECURITY_POLICY_REPORT_ONLY`. ([#219](https://github.com/mozilla/django-csp/pull/219)) You can use Django's check command to automatically identify existing CSP settings and generate a template for the new configuration format: python manage.py check This will detect your old `CSP_` prefixed settings and output a draft of the new dict-based configuration, giving you a starting point for migration. **Example:** Change from: ```python CSP_DEFAULT_SRC = ["'self'", "*.example.com"] CSP_SCRIPT_SRC = ["'self'", "js.cdn.com/example/"] CSP_IMG_SRC = ["'self'", "data:", "example.com"] CSP_EXCLUDE_URL_PREFIXES = ["/admin"] ``` to: ```python from csp.constants import SELF CONTENT_SECURITY_POLICY = { "DIRECTIVES": { "default-src": [SELF, "*.example.com"], "script-src": [SELF, "js.cdn.com/example/"], "img-src": [SELF, "data:", "example.com"], }, "EXCLUDE_URL_PREFIXES": ["/admin"], } ``` - **Nonce Configuration**: Switched from specifying directives that should contain nonces as a separate list to using a sentinel `NONCE` value in the directive itself. ([#223](https://github.com/mozilla/django-csp/pull/223)) **Example:** Change from: ```python CSP_INCLUDE_NONCE_IN = ['script-src', 'style-src'] ``` to: ```python from csp.constants import NONCE, SELF CONTENT_SECURITY_POLICY = { "DIRECTIVES": { "script-src": [SELF, NONCE], "style-src": [SELF, NONCE], } } ``` - **Nonce Behavior**: Changed how `request.csp_nonce` works - it is now Falsy (`bool(request.csp_nonce)`) until it is read as a string (e.g., used in a template or with `str(request.csp_nonce)`). Previously, it always tested as `True`, and testing generated the nonce. ([#270](https://github.com/mozilla/django-csp/pull/270)) **Before:** ```python ``` </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).

renovate-bot added 1 commit

2025-04-02 17:44:15 +00:00