Even slightly more CSP refactoring

2026-05-03 14:54:04 +00:00 · 2017-03-07 22:30:15 +01:00
parent cbf735487f
commit 2302dbade6
2 changed files with 25 additions and 22 deletions
--- a/src/pretix/base/middleware.py
+++ b/src/pretix/base/middleware.py
@@ -135,27 +135,30 @@ def get_language_from_request(request: HttpRequest) -> str:
    )


+def _parse_csp(header):
+    h = {}
+    for part in header.split(';'):
+        k, v = part.strip().split(' ', 1)
+        h[k.strip()] = v.split(' ')
+    return h
+
+
+def _render_csp(h):
+    return "; ".join(k + ' ' + ' '.join(v) for k, v in h.items())
+
+
+def _merge_csp(a, b):
+    for k, v in a.items():
+        if k in b:
+            a[k] += b[k]
+
+    for k, v in b.items():
+        if k not in a:
+            a[k] = b[k]
+
+
 class SecurityMiddleware(MiddlewareMixin):

-    def _parse_csp(self, header):
-        h = {}
-        for part in header.split(';'):
-            k, v = part.strip().split(' ', 1)
-            h[k.strip()] = v.split(' ')
-        return h
-
-    def _render_csp(self, h):
-        return "; ".join(k + ' ' + ' '.join(v) for k, v in h.items())
-
-    def _merge_csp(self, a, b):
-        for k, v in a.items():
-            if k in b:
-                a[k] += b[k]
-
-        for k, v in b.items():
-            if k not in a:
-                a[k] = b[k]
-
    def process_response(self, request, resp):
        if settings.DEBUG and resp.status_code >= 400:
            # Don't use CSP on debug error page as it breaks of Django's fancy error
@@ -180,7 +183,7 @@ class SecurityMiddleware(MiddlewareMixin):
            'form-action': ["{dynamic}', 'https:"],
        }
        if 'Content-Security-Policy' in resp:
-            self._merge_csp(h, self._parse_csp(resp['Content-Security-Policy']))
+            _merge_csp(h, _parse_csp(resp['Content-Security-Policy']))

        staticdomain = "'self'"
        dynamicdomain = "'self'"
@@ -193,5 +196,5 @@ class SecurityMiddleware(MiddlewareMixin):
            else:
                staticdomain += " " + settings.SITE_URL
                dynamicdomain += " " + settings.SITE_URL
-        resp['Content-Security-Policy'] = self._render_csp(h).format(static=staticdomain, dynamic=dynamicdomain)
+        resp['Content-Security-Policy'] = _render_csp(h).format(static=staticdomain, dynamic=dynamicdomain)
        return resp