Skip to content

Releases: mozilla/django-csp

v4.0

02 Apr 16:36
@robhudson robhudson
v4.0
6d5cc6c
Compare
Choose a tag to compare
v4.0 Latest
Latest

This release contains several breaking changes. For a complete migration guide, see:
https://django-csp.readthedocs.io/en/latest/migration-guide.html

Breaking Changes

  • Configuration Format: Moved to dict-based configuration which allows for setting policies for
    both enforced and report-only. Instead of using individual settings with CSP_ prefixes, you now
    use dictionaries called CONTENT_SECURITY_POLICY and/or CONTENT_SECURITY_POLICY_REPORT_ONLY.
    (#219)

    You can use Django's check command to automatically identify existing CSP settings and generate a
    template for the new configuration format:

    python manage.py check

    This will detect your old CSP_ prefixed settings and output a draft of the new dict-based
    configuration, giving you a starting point for migration.

    Example:

    Change from:

    CSP_DEFAULT_SRC = ["'self'", "*.example.com"]
CSP_SCRIPT_SRC = ["'self'", "js.cdn.com/example/"]
CSP_IMG_SRC = ["'self'", "data:", "example.com"]
CSP_EXCLUDE_URL_PREFIXES = ["/admin"]

    to:

    from csp.constants import SELF

CONTENT_SECURITY_POLICY = {
    "DIRECTIVES": {
        "default-src": [SELF, "*.example.com"],
        "script-src": [SELF, "js.cdn.com/example/"],
        "img-src": [SELF, "data:", "example.com"],
    },
    "EXCLUDE_URL_PREFIXES": ["/admin"],
}

  • Nonce Configuration: Switched from specifying directives that should contain nonces as a
    separate list to using a sentinel NONCE value in the directive itself.
    (#223)

    Example:

    Change from:

    CSP_INCLUDE_NONCE_IN = ['script-src', 'style-src']

    to:

    from csp.constants import NONCE, SELF

CONTENT_SECURITY_POLICY = {
    "DIRECTIVES": {
        "script-src": [SELF, NONCE],
        "style-src": [SELF, NONCE],
    }
}

  • Nonce Behavior: Changed how request.csp_nonce works - it is now Falsy
    (bool(request.csp_nonce)) until it is read as a string (e.g., used in a template or with
    str(request.csp_nonce)). Previously, it always tested as True, and testing generated the nonce.
    (#270)

    Before:

    # The nonce was generated when this was evaluated
if request.csp_nonce:
    # Do something with nonce

    After:

    # This won't generate the nonce, and will evaluate to False until nonce is read as a string
if request.csp_nonce:
    # This code won't run until nonce is used as a string

# To generate and use the nonce
nonce_value = str(request.csp_nonce)

  • Dropped support for Django ≀3.2.

  • Dropped support for Python 3.8.

New Features and Improvements

  • Dual Policy Support: Added support for enforced and report-only policies simultaneously using
    the separate CONTENT_SECURITY_POLICY and CONTENT_SECURITY_POLICY_REPORT_ONLY settings.

    Example:

    from csp.constants import NONE, SELF

# Enforced policy
CONTENT_SECURITY_POLICY = {
    "DIRECTIVES": {
        "default-src": [SELF, "cdn.example.net"],
        "frame-ancestors": [SELF],
    },
}

# Report-only policy (stricter for testing)
CONTENT_SECURITY_POLICY_REPORT_ONLY = {
    "DIRECTIVES": {
        "default-src": [NONE],
        "script-src": [SELF],
        "style-src": [SELF],
        "report-uri": "https://example.com/csp-report/",
    },
}

  • CSP Constants: Added CSP keyword constants in csp.constants (e.g., SELF instead of
    "'self'") to minimize quoting mistakes and typos.
    (#222)

    Example:

    Change from:

    CSP_DEFAULT_SRC = ["'self'", "'none'"]

    to:

    from csp.constants import SELF, NONE

CONTENT_SECURITY_POLICY = {
    "DIRECTIVES": {
        "default-src": [SELF, NONE],  # No need to worry about quoting
    }
}

  • Added comprehensive type hints. (#228)

  • Added EXCLUDE_URL_PREFIXES check not a string. (#252)

  • Added support for CSP configuration as sets. (#251)

  • Changed REPORT_PERCENTAGE to be a float between 0.0 and 100.0 and improved behavior for 100%
    report percentage to always send CSP reports.

  • Added ability to read the nonce after response if it was included in the header. This will raise
    an error when nonce is accessed after response if not already generated.
    (#269)

  • Made changes to simplify middleware logic and make CSPMiddleware easier to subclass. The updated
    middleware returns a PolicyParts dataclass that can be modified before the policy is built.
    (#237)

Other Changes

  • Added Python 3.13 support.
  • Added support for Django 5.1 and 5.2.
  • Documentation improvements including fixed trusted_types links and clarification on NONE vs Python's None.
  • Documentation note that reporting percentage needs rate limiting middleware.
  • Expanded ruff configuration and moved into pyproject.toml.

New Contributors

Full Changelog: 3.8...v4.0

Contributors

robhudson, crgwbr, and 7 other contributors
Assets 2
Loading

4.0b7

18 Mar 16:40
@robhudson robhudson
4.0b7
d6bff9f
Compare
Choose a tag to compare
4.0b7 Pre-release
Pre-release

What's Changed

Full Changelog: 4.0b6...4.0b7

Contributors

robhudson
Loading

4.0b6

13 Mar 19:37
@jwhitlock jwhitlock
4.0b6
This tag was signed with the committer’s verified signature.
jwhitlock John Whitlock
GPG key ID: 082C735D154FB750
Verified
Learn about vigilant mode.
4054a7b
Compare
Choose a tag to compare
4.0b6 Pre-release
Pre-release

What's Changed

Full Changelog: 4.0b5...4.0b6

Contributors

jwhitlock
Loading

4.0b5

06 Mar 19:17
@jwhitlock jwhitlock
4.0b5
970be26
Compare
Choose a tag to compare
4.0b5 Pre-release
Pre-release

What's Changed

Full Changelog: 4.0b4...4.0b5

Contributors

jwhitlock and adamchainz
Loading

4.0b4

21 Feb 02:46
@robhudson robhudson
4.0b4
4e75e32
Compare
Choose a tag to compare
4.0b4 Pre-release
Pre-release

What's Changed

New Contributors

Full Changelog: 4.0b3...4.0b4

Contributors

titouanc
Loading

4.0b3

15 Feb 08:08
@robhudson robhudson
4.0b3
6e9e58c
Compare
Choose a tag to compare
4.0b3 Pre-release
Pre-release

What's Changed

New Contributors

Full Changelog: 4.0b2...4.0b3

Contributors

robhudson, crgwbr, and 2 other contributors
Loading

4.0b2

17 Sep 21:04
@robhudson robhudson
4.0b2
f6da0bf
Compare
Choose a tag to compare
4.0b2 Pre-release
Pre-release

What's Changed

New Contributors

Full Changelog: 4.0b1...4.0b2

Contributors

robhudson, jwhitlock, and 4 other contributors
Loading

4.0b1

20 Jun 00:08
@robhudson robhudson
4.0b1
45cb61a
Compare
Choose a tag to compare
4.0b1 Pre-release
Pre-release

Backwards-Incompatible Release - Beta for Community Testing

This release introduces significant changes that are not backwards compatible. We encourage all users to review the migration guide thoroughly before upgrading.

  • This beta version includes substantial updates that may affect the behavior of your existing applications.
  • Migration steps are necessary to ensure compatibility.
  • We welcome community testing and feedback to identify any issues or improvements needed before a final release.

What's Changed

  • Restructure CSP Configuration with Streamlined Settings (backwards incompatible) by @robhudson in #219
  • Add constants for CSP keywords by @robhudson in #222
  • Fix report_only to REPORT_ONLY in decorator docs by @robhudson in #224
  • Move to NONCE sentinel instead of 'include-nonce-in' by @robhudson in #223

New Contributors

Full Changelog: 3.8...4.0b1

Contributors

robhudson
Loading

3.8

01 Mar 13:56
@stevejalim stevejalim
3.8
4899179
Compare
Choose a tag to compare
3.8

Please note that 3.8 is Python-code-identical to 3.8rc1, and there were no regressions or problems noted or reported with 3.8rc0 nor 3.8rc1

django-csp lives!

It's been more than a year since the last release and the project needed some refreshing before we can move forward with it.

This release aims to be functionally equivalent to 3.7, but with formal support for more modern Django and Python versions, all the way up to Django 5 on Python 3.12

Please see https://github.com/mozilla/django-csp/blob/3.8rc/CHANGES for a short summary of changes.

Feedback and bug reports are very welcome. πŸ™‡

What's Changed

New Contributors

Full Changelog: 3.7...3.8

Contributors

rik, jaap3, and 11 other contributors
Loading

3.8rc1

28 Feb 10:02
@stevejalim stevejalim
3.8rc1
684b12a
Compare
Choose a tag to compare
3.8rc1

Release candidate for django-csp 3.8

Please note that 3.8rc1 is almost identical to 3.8rc0, and there were no regressions or problems noted with 3.8rc0

It's been more than a year since the last release and the project needed some refreshing before we can move forward with it.

This release aims to be functionally equivalent to 3.7, but with formal support for more modern Django and Python versions, all the way up to Django 5 on Python 3.12

Please see https://github.com/mozilla/django-csp/blob/3.8rc1/CHANGES for a short summary of changes.

Feedback and bug reports are very welcome.

What's Changed in 3.8rc1

New Contributors to 3.8rc1

  • @hmpf made their first contribution in #216

What's Changed in 3.8rc0 (based on commit history)

New Contributors to 3.8rc0

Full Changelog: 3.7...3.8rc1

Contributors

rik, jaap3, and 11 other contributors
Loading