Don't include nonces in default-src when CSP_INCLUDE_NONCE_IN is unset / an empty list

[juspence]

Maybe adding nonces to the default-src is the intended behavior and not a bug. But it conflicts with a CSP policy like default-src: 'none'. That gets converted to default-src: 'none' 'nonce-1234', and the 'none' value is ignored because another value is present.

As an example, suppose a library wants to include nonces in a template, so that inline styles can use nonces if they're enabled:

<style{% if request.csp_nonce %} nonce="{{ request.csp_nonce }}"{% endif %}>{{ inline_style_here }}</style>

If a user of this library wants to use nonces in their CSP, they can set CSP_INCLUDE_NONCE_IN to 'style-src' and the library's template will automatically have its inline styling allowed. The nonce will appear in both the template and the CSP header.

If a user doesn't want to use nonces, they should be able to leave CSP_INCLUDE_NONCE_IN unset. The nonce could still appear in the template, or it could be set to an empty string. But no nonce values should appear in the CSP header.

Currently the nonce ends up in the default-src directive anyway. This breaks the user's CSP if they're relying on 'none' or 'unsafe-inline'. See encode/django-rest-framework#7960 (comment) for a real-world example of a library template that should be able to use nonces lazily, but can't as a result of this bug.

[robhudson]

I agree this is a bug. If the CSP_INCLUDE_NONCE_IN setting is not set, it defaults to the value ["default-src"]. Thanks for the report.

One fix may be to explicitly set this to an empty list in your settings.

CSP_INCLUDE_NONCE_IN = []

Note: This is fixed in my PR 219. I will leave this open until that officially gets merged.

[robhudson]

Fixed in #219