Skip to content

Add django-csp v4.0 compatibility #417

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
May 19, 2025
Merged

Add django-csp v4.0 compatibility #417

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
60b0bc7
Add django-csp 4.0 compatibility (#415)
gabriels1234 May 13, 2025
e6157cb
utils.py: update CSP handling for django-csp version compatibility
jcrtexidor May 13, 2025
7398c26
Fix csp version detection
gabriels1234 May 14, 2025
f1f8df6
Merge remote-tracking branch 'jcrtexidor/fix/csp-update-decorator' in…
gabriels1234 May 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 25 additions & 1 deletion djangosaml2/utils.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
import zlib
from functools import lru_cache, wraps
from typing import Optional
from importlib.metadata import version, PackageNotFoundError

from django.conf import settings
from django.core.exceptions import ImproperlyConfigured
Expand Down Expand Up @@ -239,6 +240,7 @@ def _django_csp_update_decorator():
"""Returns a view CSP decorator if django-csp is available, otherwise None."""
try:
from csp.decorators import csp_update
import csp
except ModuleNotFoundError:
# If csp is not installed, do not update fields as Content-Security-Policy
# is not used
Expand All @@ -254,4 +256,26 @@ def _django_csp_update_decorator():
else:
# autosubmit of forms uses nonce per default
# form-action https: to send data to IdPs
return csp_update(FORM_ACTION=["https:"])
# Check django-csp version to determine the appropriate format
try:
csp_version = version('django-csp')
major_version = int(csp_version.split('.')[0])

# Version detection successful
if major_version >= 4:
# django-csp 4.0+ uses dict format with named 'config' parameter
return csp_update(config={"form-action": ["https:"]})
# django-csp < 4.0 uses kwargs format
return csp_update(FORM_ACTION=["https:"])
except (PackageNotFoundError, ValueError, RuntimeError, AttributeError, IndexError):
# Version detection failed, we need to try both formats
# Try v4.0+ style first because:
# 1. It has better error handling with clear messages
# 2. Newer versions are more likely to be supported in the future
# 3. If using kwargs with v4.0, it raises a specific RuntimeError we can catch
try:
return csp_update(config={"form-action": ["https:"]})
except (TypeError, RuntimeError):
# TypeErrors could happen if config is not a recognized parameter (v3.x)
# RuntimeErrors could happen in v4.0+ if we try the wrong approach
return csp_update(FORM_ACTION=["https:"])