@@ -239,6 +239,7 @@ def _django_csp_update_decorator():
239239 """Returns a view CSP decorator if django-csp is available, otherwise None."""
240240 try :
241241 from csp .decorators import csp_update
242+ import csp
242243 except ModuleNotFoundError :
243244 # If csp is not installed, do not update fields as Content-Security-Policy
244245 # is not used
@@ -254,4 +255,29 @@ def _django_csp_update_decorator():
254255 else :
255256 # autosubmit of forms uses nonce per default
256257 # form-action https: to send data to IdPs
257- return csp_update (FORM_ACTION = ["https:" ])
258+
259+ # Check django-csp version to determine the appropriate format
260+ try :
261+ version = getattr (csp , "__version__" , "0.0" )
262+ major_version = int (version .split ("." )[0 ])
263+
264+ # Version detection successful
265+ if major_version >= 4 :
266+ # django-csp 4.0+ uses dict format with named 'config' parameter
267+ return csp_update (config = {"form-action" : ["https:" ]})
268+ else :
269+ # django-csp < 4.0 uses kwargs format
270+ return csp_update (FORM_ACTION = ["https:" ])
271+ except (AttributeError , ValueError , IndexError ):
272+ # Version detection failed, we need to try both formats
273+
274+ # Try v4.0+ style first because:
275+ # 1. It has better error handling with clear messages
276+ # 2. Newer versions are more likely to be supported in the future
277+ # 3. If using kwargs with v4.0, it raises a specific RuntimeError we can catch
278+ try :
279+ return csp_update (config = {"form-action" : ["https:" ]})
280+ except (TypeError , RuntimeError ):
281+ # TypeErrors could happen if config is not a recognized parameter (v3.x)
282+ # RuntimeErrors could happen in v4.0+ if we try the wrong approach
283+ return csp_update (FORM_ACTION = ["https:" ])
0 commit comments