chore: update deps

Author: Jenselme

config/settings.py

@@ -8,6 +8,7 @@
 import asgiref
 import django
 import environ
+from csp.constants import NONCE, NONE, SELF, STRICT_DYNAMIC, UNSAFE_INLINE
 from django.contrib.messages import constants as messages
 from django.utils.translation import gettext_lazy as _
 from template_partials.apps import wrap_loaders
@@ -331,30 +332,31 @@
 # https://django-csp.readthedocs.io/en/latest/configuration.html
 # https://content-security-policy.com/
 # https://csp-evaluator.withgoogle.com/
-CSP_DEFAULT_SRC = ("'self'",)
-CSP_SCRIPT_SRC = ("'strict-dynamic'", "'unsafe-inline'", "https:")
-CSP_SCRIPT_SRC_ATTR = None
-CSP_SCRIPT_SRC_ELEM = None
-CSP_IMG_SRC = ("'self'", "data:")
-CSP_OBJECT_SRC = ("'none'",)
-CSP_MEDIA_SRC = ("'self'",)
-CSP_FRAME_SRC = ("'none'",)
-CSP_FONT_SRC = ("'self'",)
-CSP_CONNECT_SRC = env.tuple("CSP_CONNECT_SRC", default=("'self'",))
-CSP_STYLE_SRC = ("'strict-dynamic'", "'unsafe-inline'", "https:")
-CSP_STYLE_SRC_ATTR = None
-CSP_STYLE_SRC_ELEM = None
-CSP_BASE_URI = ("'none'",)
-CSP_FRAME_ANCESTORS = ("'none'",)
-CSP_FORM_ACTION = ("'self'",)
-CSP_MANIFEST_SRC = ("'self'",)
-CSP_WORKER_SRC = ("'self'",)
-CSP_PLUGIN_TYPES = None
-CSP_REQUIRE_SRI_FOR = None
-CSP_INCLUDE_NONCE_IN = ("script-src", "style-src")
-# Those are forced to true in production
-CSP_UPGRADE_INSECURE_REQUESTS = IS_PRODUCTION
-CSP_BLOCK_ALL_MIXED_CONTENT = IS_PRODUCTION
+CONTENT_SECURITY_POLICY = {
+    "DIRECTIVES": {
+        "default-src": (SELF,),
+        "script-src": (STRICT_DYNAMIC, UNSAFE_INLINE, "https:", NONCE),
+        "script-src-attr": None,
+        "script-src-elem": None,
+        "img-src": (SELF, "data:"),
+        "object-src": (NONE,),
+        "media-src": (SELF,),
+        "frame-src": (NONE,),
+        "font-src": (SELF,),
+        "connect-src": env.tuple("CSP_CONNECT_SRC", default=(SELF,)),
+        "style-src": (STRICT_DYNAMIC, UNSAFE_INLINE, "https:", NONCE),
+        "style-src-attr": None,
+        "style-src-elem": None,
+        "base-uri": (NONE,),
+        "child-src": (NONE,),
+        "frame-ancestors": (NONE,),
+        "form-action": (SELF,),
+        "manifest-src": (SELF,),
+        "worker-src": (SELF,),
+        "require-sri-for": (NONE,),
+        "upgrade-insecure-requests": IS_PRODUCTION,
+    },
+}
 
 
 # CORS

legadilo/feeds/views/feed_articles_view.py

@@ -30,7 +30,7 @@
 
 @require_http_methods(["GET", "POST"])
 @login_required
-@csp_update(IMG_SRC="https:")
+@csp_update({"img-src": "https:"})  # type: ignore[arg-type]
 def feed_articles_view(
     request: AuthenticatedHttpRequest, feed_id: int, feed_slug: str | None = None
 ) -> TemplateResponse:

legadilo/reading/tests/test_views/test_manage_reading_lists_view.py

@@ -105,7 +105,7 @@ def test_invalid_form(self, logged_in_sync_client):
         }
 
     def test_create_reading_list(self, logged_in_sync_client, user, django_assert_num_queries):
-        with django_assert_num_queries(33):
+        with django_assert_num_queries(49):
             response = logged_in_sync_client.post(self.url, data=self.sample_data)
 
         reading_list = ReadingList.objects.get()
@@ -135,7 +135,7 @@ def test_create_duplicated_reading_list(
             **self.sample_data, slug=slugify(self.sample_data["title"]), user=user
         )
 
-        with django_assert_num_queries(19):
+        with django_assert_num_queries(35):
             response = logged_in_sync_client.post(self.url, data=self.sample_data)
 
         assert response.status_code == HTTPStatus.CONFLICT

legadilo/reading/views/article_details_views.py

@@ -61,7 +61,7 @@ def __init__(
 
 @require_http_methods(["GET", "POST"])
 @login_required
-@csp_update(IMG_SRC="https:")
+@csp_update({"img-src": "https:"})  # type: ignore[arg-type]
 def article_details_view(
     request: AuthenticatedHttpRequest, article_id: int, article_slug: str
 ) -> TemplateResponse:

legadilo/reading/views/list_of_articles_views.py

@@ -25,7 +25,7 @@
 from django.core.exceptions import ValidationError
 from django.core.paginator import Paginator
 from django.db import transaction
-from django.http import HttpResponseNotFound, HttpResponseRedirect
+from django.http import HttpResponse, HttpResponseNotFound, HttpResponseRedirect
 from django.shortcuts import get_object_or_404
 from django.template.response import TemplateResponse
 from django.urls import reverse
@@ -47,10 +47,10 @@
 
 @require_GET
 @login_required
-@csp_update(IMG_SRC="https:")
+@csp_update({"img-src": "https:"})  # type: ignore[arg-type]
 def reading_list_with_articles_view(
     request: AuthenticatedHttpRequest, reading_list_slug: str | None = None
-):
+) -> HttpResponse:
     try:
         displayed_reading_list = ReadingList.objects.get_reading_list(
             request.user, reading_list_slug
@@ -137,7 +137,7 @@ def _display_list_of_articles(
 
 @require_http_methods(["GET", "POST"])
 @login_required
-@csp_update(IMG_SRC="https:")
+@csp_update({"img-src": "https:"})  # type: ignore[arg-type]
 def tag_with_articles_view(request: AuthenticatedHttpRequest, tag_slug: str) -> TemplateResponse:
     displayed_tag = get_object_or_404(
         Tag,
@@ -154,7 +154,7 @@ def tag_with_articles_view(request: AuthenticatedHttpRequest, tag_slug: str) ->
 
 @require_http_methods(["GET", "POST"])
 @login_required
-@csp_update(IMG_SRC="https:")
+@csp_update({"img-src": "https:"})  # type: ignore[arg-type]
 def external_tag_with_articles_view(
     request: AuthenticatedHttpRequest, tag: str
 ) -> TemplateResponse:

legadilo/users/tests/snapshots/test_registration/test_registration_success/login_failure_response.html

@@ -231,7 +231,7 @@ <h1>Sign In</h1>
 
 <div id="div_id_login" class="mb-3"> <label
                 for="id_login" class="form-label requiredField">
-                Email<span class="asteriskField">*</span> </label> <input type="email" name="login" placeholder="Email address" autocomplete="email" maxlength="320" class="emailinput form-control is-invalid" required aria-invalid="true" id="id_login"> <p id="error_1_id_login" class="invalid-feedback"><strong>This field is required.</strong></p> </div> <div id="div_id_password" class="mb-3"> <label
+                Email<span class="asteriskField">*</span> </label> <input type="email" name="login" placeholder="Email address" autocomplete="email" maxlength="320" class="emailinput form-control is-invalid" required aria-invalid="true" aria-describedby="id_login_error" id="id_login"> <div id="id_login_error"class="invalid-feedback"> <p id="error_1_id_login"><strong>This field is required.</strong></p> </div> </div> <div id="div_id_password" class="mb-3"> <label
                 for="id_password" class="form-label requiredField">
                 Password<span class="asteriskField">*</span> </label> <input type="password" name="password" placeholder="Password" autocomplete="current-password" class="passwordinput form-control" required aria-describedby="id_password_helptext" id="id_password"> <div id="id_password_helptext" class="form-text"><a href="/accounts/password/reset/">Forgot your password?</a></div> </div> <div class="mb-3"> <div id="div_id_remember" class="form-check"> <input type="checkbox" name="remember" class="checkboxinput form-check-input" id="id_remember"> <label for="id_remember" class="form-check-label">
                     Remember Me