Skip to content

Add Django built-in CSP nonce support #2267

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 27, 2025
Merged

Add Django built-in CSP nonce support #2267

merged 2 commits into from
Nov 27, 2025
+62 −16

Conversation

@ahumeau
Copy link
Contributor

@ahumeau ahumeau commented Nov 27, 2025
edited
Loading

Description

Django 6.0 added built-in support for Content Security Policies.
Part of this support is associating a randomly generated nonce to each request that can then be
attached to <script> and <style> tags.

If users of django-debug-toolbar want to have a nonce-based CSP, they need django-debug-toolbar to add the nonce to the <script> and <style> tags that it generates.

django-debug-toolbar already does that for CSP nonces generated by the django-csp third-party lib but the nonces generated by django-csp and Django are accessed differently.

This PR adds support for the CSP nonces generated by the built-in Django implementation.

@ahumeau
Add Django built-in CSP nonce support
0920a11 
Django 6.0 added built-in support for Content Security Policies.
Part of this support is associating a randomly generated nonce to each request that can then be
attached to <script> and <style> tags.

django-debug-toolbar already has support for CSP nonces generated by the django-csp third-party lib but
the nonces generated by django-csp and Django are accessed differently.

This commit adds support for the CSP nonces generated by the built-in Django implementation.
matthiask
matthiask requested changes Nov 27, 2025
View reviewed changes
Copy link
Member

@matthiask matthiask left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! This looks very good.

Please change the CSP nonce import to use a django.VERSION comparison block so that we can automatically remove it in the future using django-upgrade (https://django-upgrade.readthedocs.io/en/latest/fixers.html#versioned-blocks)

@github-actions
Copy link

github-actions bot commented Nov 27, 2025
edited
Loading

Coverage report

Click to see where and how coverage changed

FileStatementsMissingCoverageCoverage
(new stmts)		Lines missing
  debug_toolbar
  _compat.py
  toolbar.py
  utils.py
Project Total  

This report was generated by python-coverage-comment-action

@ahumeau ahumeau requested a review from matthiask November 27, 2025 14:31
matthiask
matthiask approved these changes Nov 27, 2025
View reviewed changes
Copy link
Member

@matthiask matthiask left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@matthiask matthiask merged commit 7382193 into django-commons:main Nov 27, 2025
28 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@matthiask matthiask matthiask approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ahumeau @matthiask