From 2302dbade6a33b91487cba8d2be9216c6e464843 Mon Sep 17 00:00:00 2001
From: Raphael Michel <mail@raphaelmichel.de>
Date: Tue, 7 Mar 2017 22:30:15 +0100
Subject: [PATCH] Even slightly more CSP refactoring

---
 src/pretix/base/middleware.py | 45 +++++++++++++++++++----------------
 src/pretix/settings.py        |  2 +-
 2 files changed, 25 insertions(+), 22 deletions(-)

diff --git a/src/pretix/base/middleware.py b/src/pretix/base/middleware.py
index d88a2ed19c..90cfa01924 100644
--- a/src/pretix/base/middleware.py
+++ b/src/pretix/base/middleware.py
@@ -135,27 +135,30 @@ def get_language_from_request(request: HttpRequest) -> str:
     )
 
 
+def _parse_csp(header):
+    h = {}
+    for part in header.split(';'):
+        k, v = part.strip().split(' ', 1)
+        h[k.strip()] = v.split(' ')
+    return h
+
+
+def _render_csp(h):
+    return "; ".join(k + ' ' + ' '.join(v) for k, v in h.items())
+
+
+def _merge_csp(a, b):
+    for k, v in a.items():
+        if k in b:
+            a[k] += b[k]
+
+    for k, v in b.items():
+        if k not in a:
+            a[k] = b[k]
+
+
 class SecurityMiddleware(MiddlewareMixin):
 
-    def _parse_csp(self, header):
-        h = {}
-        for part in header.split(';'):
-            k, v = part.strip().split(' ', 1)
-            h[k.strip()] = v.split(' ')
-        return h
-
-    def _render_csp(self, h):
-        return "; ".join(k + ' ' + ' '.join(v) for k, v in h.items())
-
-    def _merge_csp(self, a, b):
-        for k, v in a.items():
-            if k in b:
-                a[k] += b[k]
-
-        for k, v in b.items():
-            if k not in a:
-                a[k] = b[k]
-
     def process_response(self, request, resp):
         if settings.DEBUG and resp.status_code >= 400:
             # Don't use CSP on debug error page as it breaks of Django's fancy error
@@ -180,7 +183,7 @@ class SecurityMiddleware(MiddlewareMixin):
             'form-action': ["{dynamic}', 'https:"],
         }
         if 'Content-Security-Policy' in resp:
-            self._merge_csp(h, self._parse_csp(resp['Content-Security-Policy']))
+            _merge_csp(h, _parse_csp(resp['Content-Security-Policy']))
 
         staticdomain = "'self'"
         dynamicdomain = "'self'"
@@ -193,5 +196,5 @@ class SecurityMiddleware(MiddlewareMixin):
             else:
                 staticdomain += " " + settings.SITE_URL
                 dynamicdomain += " " + settings.SITE_URL
-        resp['Content-Security-Policy'] = self._render_csp(h).format(static=staticdomain, dynamic=dynamicdomain)
+        resp['Content-Security-Policy'] = _render_csp(h).format(static=staticdomain, dynamic=dynamicdomain)
         return resp
diff --git a/src/pretix/settings.py b/src/pretix/settings.py
index f1ee0494e5..5afc9e6494 100644
--- a/src/pretix/settings.py
+++ b/src/pretix/settings.py
@@ -240,8 +240,8 @@ MIDDLEWARE = [
     'django.middleware.clickjacking.XFrameOptionsMiddleware',
     'pretix.control.middleware.PermissionMiddleware',
     'pretix.base.middleware.LocaleMiddleware',
-    'pretix.presale.middleware.EventMiddleware',
     'pretix.base.middleware.SecurityMiddleware',
+    'pretix.presale.middleware.EventMiddleware',
 ]
 
 try: