From 07440fbd42f555002441842f28f1f91c534b5c6b Mon Sep 17 00:00:00 2001
From: Bryan Brancotte <bryan.brancotte@pasteur.fr>
Date: Thu, 3 Apr 2025 11:01:10 +0200
Subject: [PATCH] update to django-csp 4.0

---
 src/strass/requirements.txt   |  2 +-
 src/strass/strass/settings.py | 61 ++++++++++++++++++-----------------
 2 files changed, 33 insertions(+), 30 deletions(-)

diff --git a/src/strass/requirements.txt b/src/strass/requirements.txt
index 5f03632f..3df95637 100644
--- a/src/strass/requirements.txt
+++ b/src/strass/requirements.txt
@@ -28,5 +28,5 @@ tqdm
 gunicorn
 qrcode[pil]
 python-magic # to check mime type
-django-csp
+django-csp>=4.0
 #END OF FILE
diff --git a/src/strass/strass/settings.py b/src/strass/strass/settings.py
index d6f93636..90260885 100644
--- a/src/strass/strass/settings.py
+++ b/src/strass/strass/settings.py
@@ -251,34 +251,37 @@ FILE_UPLOAD_MAX_MEMORY_SIZE = 10485760  # 10Mo
 ################################################################################
 # DJANGO CSP, and DJANGO CSP REPORTS
 ################################################################################
-CSP_DEFAULT_SRC = [
-    "'self'",
-    "*",
-]
-CSP_SCRIPT_SRC = [
-    "'self'",
-    "cdn.datatables.net",
-    "cdnjs.cloudflare.com",
-    "code.jquery.com",
-    "plausible.pasteur.cloud",
-    "stackpath.bootstrapcdn.com",
-    "cdn.jsdelivr.net",
-    "www.googletagmanager.com",
-    "www.google-analytics.com",
-]
-CSP_STYLE_SRC = [
-    "'self'",
-    "'unsafe-inline'",
-    '*',
-]
-CSP_IMG_SRC = [
-    "'self'",
-    "*",
-    "data:",
-]
-CSP_EXCLUDE_URL_PREFIXES = (
-    # "/candidate/",
-)
-CSP_REPORT_URI = reverse_lazy('cspmailreports:csp-report')
+
+CONTENT_SECURITY_POLICY = {
+    'DIRECTIVES': {
+        'default-src': [
+            "'self'",
+            '*',
+        ],
+        'script-src': [
+            "'self'",
+            'cdn.datatables.net',
+            'cdnjs.cloudflare.com',
+            'code.jquery.com',
+            'plausible.pasteur.cloud',
+            'stackpath.bootstrapcdn.com',
+            'cdn.jsdelivr.net',
+            'www.googletagmanager.com',
+            'www.google-analytics.com',
+        ],
+        'style-src': [
+            "'self'",
+            "'unsafe-inline'",
+            '*',
+        ],
+        'img-src': [
+            "'self'",
+            "*",
+            "data:",
+        ],
+        'report-uri': reverse_lazy('cspmailreports:csp-report'),
+    },
+    'EXCLUDE_URL_PREFIXES': (),
+}
 
 ################################################################################
-- 
GitLab