Skip to content

Django 6.0: Add stubs for built-in CSP support #2931

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
intgr merged 3 commits into from
Dec 12, 2025
Merged

Django 6.0: Add stubs for built-in CSP support #2931

intgr merged 3 commits into from
Dec 12, 2025

Conversation

@federicobond
Copy link
Contributor

@federicobond federicobond commented Dec 4, 2025

Documentation: https://docs.djangoproject.com/en/6.0/ref/csp/

I reused a trick from django-stubs/db/models/enums.pyi to make it compatible with Python < 3.11.

@federicobond
Copy link
Contributor Author

federicobond commented Dec 4, 2025
edited
Loading

Apparently the stubtest job needs the Django 6.0 dependency update to be merged first.

@federicobond federicobond force-pushed the csp-support branch 2 times, most recently from 9666acd to 295a04f Compare December 4, 2025 13:17
@intgr
Copy link
Collaborator

intgr commented Dec 10, 2025
edited
Loading

Django 6.0 dependency update to be merged first

@intgr
Copy link
Collaborator

intgr commented Dec 10, 2025
edited
Loading

Please look at stubtest output https://github.com/typeddjango/django-stubs/actions/runs/20098667950/job/57663468906?pr=2931

And update stubs or stubtest allowlist files scripts/stubtest/allowlist_*.txt as needed.

intgr
intgr reviewed Dec 10, 2025
View reviewed changes
@intgr intgr changed the title Add type stubs for built-in CSP support in Django 6.0 Django 6.0: Add stubs for built-in CSP support Dec 10, 2025
@federicobond federicobond force-pushed the csp-support branch 2 times, most recently from 8a5d299 to 79dac0f Compare December 11, 2025 01:58
@federicobond
Copy link
Contributor Author

federicobond commented Dec 11, 2025
edited
Loading

Should I include undocumented functions like get_nonce and build_policy in the type stubs or allow them in the allowlist?

@intgr
Copy link
Collaborator

intgr commented Dec 11, 2025

Yes, add them to stubs. If you know they are undocumented, it's worth adding a code comment about it.

sobolevn
sobolevn reviewed Dec 11, 2025
View reviewed changes
django-stubs/conf/global_settings.pyi Outdated
Comment on lines 548 to 549
SECURE_CSP: dict[str, Any] = {}
SECURE_CSP_REPORT_ONLY: dict[str, Any] = {}
Copy link
Member

@sobolevn sobolevn Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
SECURE_CSP: dict[str, Any] = {}
SECURE_CSP_REPORT_ONLY: dict[str, Any] = {}
SECURE_CSP: dict[str, Any]
SECURE_CSP_REPORT_ONLY: dict[str, Any]

Copy link
Member

@sobolevn sobolevn Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We might also type it as Sequence[str] instead of Any maybe?

Copy link
Collaborator

@intgr intgr Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Apparently SECURE_CSP_REPORT_ONLY = {"report-uri": "/path/to/reports-endpoint/"} is a valid value, so it's not always Sequence.

Copy link
Contributor Author

@federicobond federicobond Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would Sequence[str] | str cover all use cases?

Copy link
Collaborator

@intgr intgr Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure. Check the docs and if that is inconclusive, maybe check source too.

Copy link
Contributor Author

@federicobond federicobond Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From the docs:

The setting must be a mapping (typically a dictionary) of directive names to their values. Each key should be a valid CSP directive such as default-src or script-src. The corresponding value can be a list, tuple, or set of source expressions or URLs to allow for that directive. If a set is used, it will be automatically sorted to ensure consistent output in the generated headers.

Based on this, I updated the type for the policies to be Mapping[str, Collection[str] | str]. Let me know if that works.

intgr
intgr reviewed Dec 11, 2025
View reviewed changes
Copy link
Collaborator

@intgr intgr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@intgr intgr added this to the Django 6.0 support milestone Dec 11, 2025
@federicobond federicobond force-pushed the csp-support branch 3 times, most recently from abf2201 to 1bbb8a4 Compare December 12, 2025 00:46
intgr
intgr reviewed Dec 12, 2025
View reviewed changes
@federicobond federicobond force-pushed the csp-support branch 2 times, most recently from a659ed1 to 388cf6a Compare December 12, 2025 02:05
@federicobond
Copy link
Contributor Author

federicobond commented Dec 12, 2025

I've updated the PR based on the review comments. All build jobs pass now.

intgr
intgr approved these changes Dec 12, 2025
View reviewed changes
Copy link
Collaborator

@intgr intgr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome, thanks for your help.

@intgr intgr merged commit 51beeee into typeddjango:master Dec 12, 2025
46 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@intgr intgr intgr approved these changes

@sobolevn sobolevn sobolevn approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

Django 6.0 support

Development

Successfully merging this pull request may close these issues.

3 participants

@federicobond @intgr @sobolevn