Re: [Django] #36831: Add validation for CSP directive names and values in build_policy()

[Django]

#36831: Add validation for CSP directive names and values in build_policy()
-------------------------------------+-------------------------------------
     Reporter:  Naveed Qadir         |                    Owner:  Naveed
         Type:                       |  Qadir
  Cleanup/optimization               |                   Status:  closed
    Component:  Utilities            |                  Version:  6.0
     Severity:  Normal               |               Resolution:  wontfix
     Keywords:  csp,validation       |             Triage Stage:
                                     |  Unreviewed
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Comment (by Naveed Qadir):

 Thanks for reviewing, Jacob. I understand the concern about adding
 validation that might be overly restrictive.

 My motivation was to catch developer errors earlier in the development
 cycle (during testing/local development) rather than requiring manual
 inspection of browser console logs. The specific scenario: developer
 misconfigures CSP with embedded semicolons → Django silently generates
 malformed policy → browser partially applies it, security gaps may go
 unnoticed.

 Regarding technical validity: semicolons in directive names are
 definitively invalid per the [CSP Level 3 spec](https://www.w3.org/TR/CSP3
 /#grammardef-serialized-policy), which defines directive names as tokens
 that cannot contain semicolons (reserved as directive separators).

 If there's interest in a minimal approach validating only directive names
 against the spec's well-defined grammar, I'm happy to revise. Otherwise, I
 understand closing as wontfix.
 Replying to [comment:2 Jacob Walls]:
 > Thanks for the ticket, but I don't think this brings enough value to
 work on. There's developer feedback in browser dev tools already for
 invalid policies:
 >
 > {{{
 > 98:1 Unrecognized Content-Security-Policy directive 'foo'.
 > }}}
 >
 > And I'm not certain some of the proposed validations aren't technically
 valid somehow.
 >
 > What are your motivations for opening this report?
-- 
Ticket URL: <https://code.djangoproject.com/ticket/36831#comment:3>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion visit 
https://groups.google.com/d/msgid/django-updates/0107019b6bcba904-2f043dbd-5375-45ea-9228-26b05d770753-000000%40eu-central-1.amazonses.com.