From 78df1d05eb4fded355507159e8725f5c07a829f3 Mon Sep 17 00:00:00 2001 From: Tim Schilling Date: Sat, 8 Mar 2025 15:39:52 -0600 Subject: [PATCH 1/2] Consolidate csp_nonce usages to a single property on the toolbar. --- debug_toolbar/toolbar.py | 4 ++-- docs/changes.rst | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/debug_toolbar/toolbar.py b/debug_toolbar/toolbar.py index 7f7f6c76b..6fae494e0 100644 --- a/debug_toolbar/toolbar.py +++ b/debug_toolbar/toolbar.py @@ -74,10 +74,10 @@ def csp_nonce(self): have a nonce associated with the request. Use the private attribute because the lazy object wrapped value can generate a nonce by accessing it. This isn't ideal when the toolbar is injecting context - into the response because it may set a nonce that is not used with + into the response because it may set a nonce not used with other assets. """ - return getattr(self.request, "_csp_nonce", None) + return getattr(self.request, "csp_nonce", None) def get_panel_by_id(self, panel_id): """ diff --git a/docs/changes.rst b/docs/changes.rst index 89ee7dddc..b0f6cf3a4 100644 --- a/docs/changes.rst +++ b/docs/changes.rst @@ -11,7 +11,7 @@ Pending or ``async_to_sync`` to allow sync/async compatibility. * Make ``require_toolbar`` decorator compatible to async views. * Added link to contributing documentation in ``CONTRIBUTING.md``. -* Rely on django-csp's private attribute for nonce, ``request._csp_nonce``. +* Create a CSP nonce property on the toolbar ``Toolbar().csp_nonce``. 5.0.1 (2025-01-13) ------------------ From e98df93148fdc8b5dd1f5ab6141aaecf08eadf2f Mon Sep 17 00:00:00 2001 From: Tim Schilling Date: Sat, 8 Mar 2025 15:41:54 -0600 Subject: [PATCH 2/2] Unpin django-csp for tests. --- tox.ini | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tox.ini b/tox.ini index 691ba2670..c8f4a6815 100644 --- a/tox.ini +++ b/tox.ini @@ -25,7 +25,7 @@ deps = pygments selenium>=4.8.0 sqlparse - django-csp<4 + django-csp passenv= CI COVERAGE_ARGS