(self, request, response)
| 12 | request._csp_nonce = LazyNonce() |
| 13 | |
| 14 | def process_response(self, request, response): |
| 15 | nonce = get_nonce(request) |
| 16 | |
| 17 | sentinel = object() |
| 18 | if (csp_config := getattr(response, "_csp_config", sentinel)) is sentinel: |
| 19 | csp_config = settings.SECURE_CSP |
| 20 | if (csp_ro_config := getattr(response, "_csp_ro_config", sentinel)) is sentinel: |
| 21 | csp_ro_config = settings.SECURE_CSP_REPORT_ONLY |
| 22 | |
| 23 | for header, config in [ |
| 24 | (CSP.HEADER_ENFORCE, csp_config), |
| 25 | (CSP.HEADER_REPORT_ONLY, csp_ro_config), |
| 26 | ]: |
| 27 | # If headers are already set on the response, don't overwrite them. |
| 28 | # This allows for views to set their own CSP headers as needed. |
| 29 | # An empty config means CSP headers are not added to the response. |
| 30 | if config and header not in response: |
| 31 | response.headers[str(header)] = build_policy(config, nonce) |
| 32 | |
| 33 | return response |
nothing calls this directly
no test coverage detected