disable CSP for django debug view Fixes #27

add test for django debug view csp exempt
mozilla · Nov 5, 2013 · 97622fa · 97622fa
1 parent c8176ba
commit 97622fa
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 1 deletion.
diff --git a/csp/middleware.py b/csp/middleware.py
@@ -1,4 +1,5 @@
 from django.conf import settings
+from django.utils.six.moves import http_client
 
 from csp.utils import build_policy
 
@@ -22,6 +23,11 @@ def process_response(self, request, response):
         if request.path_info.startswith(prefixes):
             return response
 
+        # Check for debug view
+        status_code = response.status_code
+        if status_code == http_client.INTERNAL_SERVER_ERROR and settings.DEBUG:
+            return response
+
         header = 'Content-Security-Policy'
         if getattr(settings, 'CSP_REPORT_ONLY', False):
             header += '-Report-Only'

diff --git a/csp/tests/test_middleware.py b/csp/tests/test_middleware.py
@@ -1,4 +1,4 @@
-from django.http import HttpResponse
+from django.http import HttpResponse, HttpResponseServerError
 from django.test import RequestFactory, TestCase
 from django.test.utils import override_settings
 
@@ -68,3 +68,10 @@ def test_use_replace(self):
         response._csp_replace = {'img-src': ['bar.com']}
         mw.process_response(request, response)
         eq_(response[HEADER], "default-src 'self'; img-src bar.com")
+
+    @override_settings(DEBUG=True)
+    def test_debug_exempt(self):
+        request = rf.get('/')
+        response = HttpResponseServerError()
+        mw.process_response(request, response)
+        assert HEADER not in response