More improvements & supporting django-csp

Author: karolyi

CHANGELOG.md

@@ -8,6 +8,7 @@ Releases are added to the
 ## --- INSERT VERSION HERE ---
 
 - Automatically add `crossorigin` attributes to tags with `integrity` attributes when necessary (and enabled)
+- Use `request.csp_nonce` from [django-csp](https://github.com/mozilla/django-csp) if available and configured
 
 ## [3.1.1] -- 2024-08-30
 

README.md

@@ -256,6 +256,8 @@ WEBPACK_LOADER = {
 
 - `CROSSORIGIN`: If you use the `integrity` attribute in your tags and you load your webpack generated assets from another origin (that is not the same `host:port` as the one you load the webpage from), you can configure the `CROSSORIGIN` configuration option. The default value is `''` (empty string), where an empty `crossorigin` attribute will be emitted when necessary. Valid values are: `''` (empty string), `'anonymous'` (functionally same as the empty string) and `use-credentials`. For an explanation, see https://shubhamjain.co/2018/09/08/subresource-integrity-crossorigin/. A typical case for this scenario is when you develop locally and your webpack-dev-server runs with hot-reload on a local host/port other than that of django's `runserver`.
 
+- `CSP_NONCE`: Automatically generate nonces for rendered bundles from [django-csp](https://github.com/mozilla/django-csp). Default `False`. Set this to `True` if you use `django-csp` and and `'strict-dynamic'` [CSP mode](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#strict-dynamic).
+
 - `LOADER_CLASS` is the fully qualified name of a python class as a string that holds the custom Webpack loader. This is where behavior can be customized as to how the stats file is loaded. Examples include loading the stats file from a database, cache, external URL, etc. For convenience, `webpack_loader.loaders.WebpackLoader` can be extended. The `load_assets` method is likely where custom behavior will be added. This should return the stats file as an object.
 
 Here's a simple example of loading from an external URL:

webpack_loader/config.py

@@ -23,6 +23,8 @@
         # Whenever the global setting for SKIP_COMMON_CHUNKS is changed, please
         # update the fallback value in get_skip_common_chunks (utils.py).
         'SKIP_COMMON_CHUNKS': False,
+        # Use nonces from django-csp when available
+        'CSP_NONCE': False
     }
 }
 

webpack_loader/loaders.py

@@ -1,7 +1,7 @@
 import json
 import os
 import time
-from functools import lru_cache
+from functools import cached_property, lru_cache
 from io import open
 from typing import Dict, Optional
 from urllib.parse import urlparse
@@ -21,11 +21,20 @@
 _CROSSORIGIN_NO_REQUEST = (
     'The crossorigin attribute might be necessary but you did not pass a '
     'request object. django_webpack_loader needs a request object to be able '
-    'to know when to emit the crossorigin attribute on link and script tags.')
+    'to know when to emit the crossorigin attribute on link and script tags. '
+    'Bundle name: {chunk_name}')
 _CROSSORIGIN_NO_HOST = (
     'You have passed the request object but it does not have a "HTTP_HOST", '
     'thus django_webpack_loader can\'t know if the crossorigin header will '
-    'be necessary or not.')
+    'be necessary or not. Bundle name: {chunk_name}')
+_NONCE_NO_REQUEST = (
+    'You have enabled the adding of nonce attributes to generated tags via '
+    'django_webpack_loader, but haven\'t passed a request. '
+    'Bundle name: {chunk_name}')
+_NONCE_NO_CSPNONCE = (
+    'django_webpack_loader can\'t generate a nonce tag for a bundle, '
+    'because the passed request doesn\'t contain a "csp_nonce". '
+    'Bundle name: {chunk_name}')
 
 
 @lru_cache(maxsize=100)
@@ -63,31 +72,33 @@ def get_asset_by_source_filename(self, name):
         return next((x for x in files if x.get("sourceFilename") == name), None)
 
     def _add_crossorigin(
-            self, request: Optional[HttpRequest], chunk_url: str,
-            integrity: str, attrs: str) -> str:
+            self, request: Optional[HttpRequest], chunk: Dict[str, str],
+            integrity: str, attrs_l: str) -> str:
         'Return an added `crossorigin` attribute if necessary.'
         def_value = f' integrity="{integrity}" '
-        cfgval: str = self.config.get('CROSSORIGIN')
         if not request:
-            warn(message=_CROSSORIGIN_NO_REQUEST, category=RuntimeWarning)
+            message = _CROSSORIGIN_NO_REQUEST.format(chunk_name=chunk['name'])
+            warn(message=message, category=RuntimeWarning)
             return def_value
-        if 'crossorigin' in attrs.lower():
+        if 'crossorigin' in attrs_l:
             return def_value
         host: Optional[str] = request.META.get('HTTP_HOST')
         if not host:
-            warn(message=_CROSSORIGIN_NO_HOST, category=RuntimeWarning)
+            message = _CROSSORIGIN_NO_HOST.format(chunk_name=chunk['name'])
+            warn(message=message, category=RuntimeWarning)
             return def_value
-        netloc = _get_netloc(url=chunk_url)
+        netloc = _get_netloc(url=chunk['url'])
         if netloc == '' or netloc == host:
             # Crossorigin not necessary
             return def_value
+        cfgval: str = self.config.get('CROSSORIGIN')
         if cfgval == '':
             return f'{def_value}crossorigin '
         return f'{def_value}crossorigin="{cfgval}" '
 
     def get_integrity_attr(
             self, chunk: Dict[str, str], request: Optional[HttpRequest],
-            attrs: str):
+            attrs_l: str) -> str:
         if not self.config.get('INTEGRITY'):
             # Crossorigin only necessary when integrity is used
             return ' '
@@ -100,8 +111,27 @@ def get_integrity_attr(
                 'you forgot to add integrity: true in your '
                 'BundleTrackerPlugin configuration?')
         return self._add_crossorigin(
-            request=request, chunk_url=chunk['url'], integrity=integrity,
-            attrs=attrs)
+            request=request, chunk=chunk, integrity=integrity,
+            attrs_l=attrs_l)
+
+    def get_nonce_attr(
+            self, chunk: Dict[str, str], request: Optional[HttpRequest],
+            attrs: str) -> str:
+        'Return an added nonce for CSP when available.'
+        if not self.config.get('CSP_NONCE'):
+            return ''
+        if request is None:
+            message = _NONCE_NO_REQUEST.format(chunk_name=chunk['name'])
+            warn(message=message, category=RuntimeWarning)
+            return ''
+        nonce = getattr(request, 'csp_nonce', None)
+        if nonce is None:
+            message = _NONCE_NO_CSPNONCE.format(chunk_name=chunk['name'])
+            warn(message=message, category=RuntimeWarning)
+            return ''
+        if 'nonce=' in attrs.lower():
+            return ''
+        return f'nonce="{nonce}" '
 
     def filter_chunks(self, chunks):
         filtered_chunks = []

webpack_loader/utils.py

@@ -1,10 +1,9 @@
 from collections import OrderedDict
+from functools import lru_cache
 from importlib import import_module
 from django.conf import settings
 from .config import load_config
 
-_loaders = {}
-
 
 def import_string(dotted_path):
     '''
@@ -21,12 +20,11 @@ def import_string(dotted_path):
         raise ImportError('%s doesn\'t look like a valid module path' % dotted_path)
 
 
+@lru_cache(maxsize=None)
 def get_loader(config_name):
-    if config_name not in _loaders:
-        config = load_config(config_name)
-        loader_class = import_string(config['LOADER_CLASS'])
-        _loaders[config_name] = loader_class(config_name, config)
-    return _loaders[config_name]
+    config = load_config(config_name)
+    loader_class = import_string(config['LOADER_CLASS'])
+    return loader_class(config_name, config)
 
 
 def get_skip_common_chunks(config_name):
@@ -73,6 +71,7 @@ def get_as_url_to_tag_dict(
     loader = get_loader(config)
     bundle = _get_bundle(loader, bundle_name, extension)
     result = OrderedDict()
+    attrs_l = attrs.lower()
 
     for chunk in bundle:
         if chunk['name'].endswith(('.js', '.js.gz')):
@@ -82,20 +81,22 @@ def get_as_url_to_tag_dict(
                 ).format(''.join([chunk['url'], suffix]), attrs)
             else:
                 result[chunk['url']] = (
-                    '<script src="{0}"{2}{1}></script>'
+                    '<script src="{0}"{2}{3}{1}></script>'
                 ).format(
                     ''.join([chunk['url'], suffix]),
                     attrs,
-                    loader.get_integrity_attr(chunk, request, attrs),
+                    loader.get_integrity_attr(chunk, request, attrs_l),
+                    loader.get_nonce_attr(chunk, request, attrs_l),
                 )
         elif chunk['name'].endswith(('.css', '.css.gz')):
             result[chunk['url']] = (
-                '<link href="{0}" rel={2}{3}{1}/>'
+                '<link href="{0}" rel={2}{3}{4}{1}/>'
             ).format(
                 ''.join([chunk['url'], suffix]),
                 attrs,
                 '"stylesheet"' if not is_preload else '"preload" as="style"',
-                loader.get_integrity_attr(chunk, request, attrs),
+                loader.get_integrity_attr(chunk, request, attrs_l),
+                loader.get_nonce_attr(chunk, request, attrs_l),
             )
     return result