Add type stubs for built-in CSP support in Django 6.0

Author: federicobond

django-stubs/conf/global_settings.pyi

@@ -541,3 +541,9 @@ SECURE_REDIRECT_EXEMPT: list[str]
 SECURE_REFERRER_POLICY: str
 SECURE_SSL_HOST: str | None
 SECURE_SSL_REDIRECT: bool
+
+##################
+# CSP MIDDLEWARE #
+##################
+SECURE_CSP: dict[str, Any] = {}
+SECURE_CSP_REPORT_ONLY: dict[str, Any] = {}

django-stubs/middleware/csp.pyi

@@ -0,0 +1,7 @@
+from django.http import HttpRequest, HttpResponse
+from django.utils.csp import CSP as CSP
+from django.utils.deprecation import MiddlewareMixin
+
+class ContentSecurityPolicyMiddleware(MiddlewareMixin):
+    def process_request(self, request: HttpRequest) -> None: ...
+    def process_response(self, request: HttpRequest, response: HttpResponse) -> HttpResponse: ...

django-stubs/template/context_processors.pyi

@@ -6,6 +6,7 @@ from django.utils.functional import SimpleLazyObject
 
 _R = TypeVar("_R", bound=HttpRequest)
 
+def csp(request: HttpRequest) -> dict[str, SimpleLazyObject | None]: ...
 def csrf(request: HttpRequest) -> dict[str, SimpleLazyObject]: ...
 def debug(request: HttpRequest) -> dict[str, Callable | bool]: ...
 def i18n(request: HttpRequest) -> dict[str, list[tuple[str, str]] | bool | str]: ...

django-stubs/utils/csp.pyi

@@ -0,0 +1,24 @@
+import sys
+
+if sys.version_info >= (3, 11):
+    from enum import StrEnum
+else:
+    from enum import Enum
+
+    class ReprEnum(Enum): ...  # type: ignore[misc]
+    class StrEnum(str, ReprEnum): ...  # type: ignore[misc]
+
+class CSP(StrEnum):
+    HEADER_ENFORCE = "Content-Security-Policy"
+    HEADER_REPORT_ONLY = "Content-Security-Policy-Report-Only"
+
+    NONE = "'none'"
+    REPORT_SAMPLE = "'report-sample'"
+    SELF = "'self'"
+    STRICT_DYNAMIC = "'strict-dynamic'"
+    UNSAFE_EVAL = "'unsafe-eval'"
+    UNSAFE_HASHES = "'unsafe-hashes'"
+    UNSAFE_INLINE = "'unsafe-inline'"
+    WASM_UNSAFE_EVAL = "'wasm-unsafe-eval'"
+
+    NONCE = "<CSP_NONCE_SENTINEL>"

django-stubs/views/decorators/csp.pyi

@@ -0,0 +1,7 @@
+from collections.abc import Callable
+from typing import Any, TypeVar
+
+_F = TypeVar("_F", bound=Callable[..., Any])
+
+def csp_override(config: dict[str, Any]) -> Callable[[_F], _F]: ...
+def csp_report_only_override(config: dict[str, Any]) -> Callable[[_F], _F]: ...

scripts/stubtest/allowlist_todo_django60.txt

@@ -1,7 +1,5 @@
 django.conf.FORMS_URLFIELD_ASSUME_HTTPS_DEPRECATED_MSG
 django.conf.global_settings.FORMS_URLFIELD_ASSUME_HTTPS
-django.conf.global_settings.SECURE_CSP
-django.conf.global_settings.SECURE_CSP_REPORT_ONLY
 django.conf.global_settings.TASKS
 django.conf.global_settings.URLIZE_ASSUME_HTTPS
 django.contrib.admin.AdminSite.password_change_form
@@ -212,7 +210,6 @@ django.forms.ClearableFileInput.use_fieldset
 django.forms.models.BaseModelForm.validate_constraints
 django.forms.renderers.Jinja2DivFormRenderer
 django.forms.widgets.ClearableFileInput.use_fieldset
-django.middleware.csp
 django.tasks
 django.tasks.backends
 django.tasks.backends.base
@@ -223,7 +220,6 @@ django.tasks.checks
 django.tasks.exceptions
 django.tasks.signals
 django.template.base.PartialTemplate
-django.template.context_processors.csp
 django.template.defaulttags.PartialDefNode
 django.template.defaulttags.PartialNode
 django.template.defaulttags.partial_func
@@ -232,7 +228,6 @@ django.test.runner.QueryFormatter
 django.test.selenium.SeleniumTestCase.get_browser_logs
 django.test.testcases._AssertTemplateUsedContext.rendered_template_names
 django.utils.copy
-django.utils.csp
 django.utils.datastructures.DeferredSubDict
 django.utils.deprecation.RemovedInDjango60Warning
 django.utils.deprecation.RemovedInDjango70Warning
@@ -245,4 +240,3 @@ django.utils.itercompat
 django.utils.json
 django.utils.log.log_message
 django.utils.text.acompress_sequence
-django.views.decorators.csp