Merge pull request #49 from MartinPetkov/master

Add support for IE to CSP middleware
sdelements · Jul 4, 2016 · c9a877f · c9a877f
2 parents 41f2f03 + 3c8b021
commit c9a877f
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 2 deletions.
diff --git a/requirements b/requirements
@@ -1 +1,2 @@
 django>=1.4,<1.9
+ua_parser==0.7.1
diff --git a/security/middleware.py b/security/middleware.py
@@ -13,6 +13,8 @@
 from django.utils import timezone
 import django.views.static
 
+from ua_parser.user_agent_parser import ParseUserAgent
+
 from .password_expiry import password_is_expired
 
 logger = logging.getLogger(__name__)
@@ -692,8 +694,16 @@ def process_response(self, request, response):
         enforcement or report-only headers in all currently used variants.
         """
         # choose headers based enforcement mode
+        is_ie = False
+        if 'HTTP_USER_AGENT' in request.META:
+            parsed_ua = ParseUserAgent(request.META['HTTP_USER_AGENT'])
+            is_ie = parsed_ua['family'] == 'IE'
+
         if self._enforce:
-            header = 'Content-Security-Policy'
+            if is_ie:
+                header = 'X-Content-Security-Policy'
+            else:
+                header = 'Content-Security-Policy'
         else:
             header = 'Content-Security-Policy-Report-Only'
 

diff --git a/setup.py b/setup.py
@@ -38,6 +38,6 @@ def run(self):
           'Topic :: Software Development :: Libraries :: Python Modules',
 	  'Topic :: Security',
       ],
-      requires=['django (>=1.4)',],
+      requires=['django (>=1.4)', 'ua_parser (==0.7.1)'],
       cmdclass={'test': Test})
 
diff --git a/tox.ini b/tox.ini
@@ -11,11 +11,13 @@ deps =
 	django17: django==1.7
 	django18: django==1.8
 	coverage
+    ua_parser==0.7.1
 
 [testenv:docs]
 deps =
     Sphinx
     django
+    ua_parser==0.7.1
 commands =
     make clean
     make html