Log CSP errors instead of crashing.

2025-04-24 11:22:00 -04:00 · 2017-07-15 01:44:03 -04:00 · 2017-07-15 01:44:03 -04:00 · 8fa410d6fd
parent df37921e49
commit 8fa410d6fd
2 changed files with 17 additions and 3 deletions
--- a/csp_advanced/middleware.py
+++ b/csp_advanced/middleware.py
@ -1,9 +1,12 @@
+import logging
 from django.conf import settings
 from django.core.exceptions import MiddlewareNotUsed

-from csp_advanced.csp import CSPCompiler
+from csp_advanced.csp import CSPCompiler, InvalidCSPError
 from csp_advanced.utils import is_callable_csp_dict, call_csp_dict, merge_csp_dict

+log = logging.getLogger(__name__)
+

 class AdvancedCSPMiddleware(object):
    def __init__(self, get_response=None):
@ -36,8 +39,15 @@ class AdvancedCSPMiddleware(object):
                    csp = merge_csp_dict(csp, update)
                break

-        if csp:
-            response[header] = CSPCompiler(csp).compile()
+        if not csp:
+            return
+
+        try:
+            policy = CSPCompiler(csp).compile()
+        except InvalidCSPError:
+            log.exception('Invalid CSP on page: %s', request.get_full_path())
+            return
+        response[header] = policy

    def process_response(self, request, response):
        if self.enforced_csp:
--- a/csp_advanced/tests.py
+++ b/csp_advanced/tests.py
@ -168,6 +168,10 @@ class TestMiddleware(SimpleTestCase):
    def test_setting_csp(self):
        self.assertEqual(self.make_ok_view()(self.get_request())['Content-Security-Policy'], "script-src 'self'")

+    @override_settings(ADVANCED_CSP={'bad': ['self']})
+    def test_invalid_csp(self):
+        self.assertFalse('Content-Security-Policy' in self.make_ok_view()(self.get_request()))
+
    @override_settings(ADVANCED_CSP_REPORT_ONLY={'default-src': ['http://dmoj.ca']})
    def test_setting_csp_report(self):
        self.assertEqual(self.make_ok_view()(self.get_request())['Content-Security-Policy-Report-Only'],