summaryrefslogtreecommitdiff
path: root/django/middleware
AgeCommit message (Collapse)Author
2025-10-21Fixed #36656 -- Avoided truncating async streaming responses in GZipMiddleware.Adam Johnson
2025-09-15Renamed local variables in CsrfViewMiddleware._origin_verified() for clarity.Klaas van Schelven
2025-09-03Refs #34989 -- Ensured the Content-Length header is set when redirect with ↵Ronan LE HAY
APPEND_SLASH.
2025-08-28Fixed #36532 -- Added Content Security Policy view decorators to override or ↵Rob Hudson
disable policies. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2025-08-27Fixed #36572 -- Revert "Fixed #36546 -- Deprecated ↵Sarah Boyce
django.utils.crypto.constant_time_compare() in favor of hmac.compare_digest()." This reverts commit 0246f478882c26bc1fe293224653074cd46a90d0.
2025-08-25Fixed #36546 -- Deprecated django.utils.crypto.constant_time_compare() in ↵SaJH
favor of hmac.compare_digest(). Signed-off-by: SaJH <wogur981208@gmail.com>
2025-08-21Fixed #36560 -- Prevented UpdateCacheMiddleware from caching responses with ↵mengxun
Cache-Control 'no-cache' or 'no-store'.
2025-07-24Fixed typo in django/middleware/gzip.py.Mohamed Amine Mahmoud
2025-07-23Refs #36500 -- Rewrapped long docstrings and block comments via a script.django-bot
Rewrapped long docstrings and block comments to 79 characters + newline using script from https://github.com/medmunds/autofix-w505.
2025-07-23Removed double spaces after periods and within phrases.Sarah Boyce
2025-06-27Fixed #15727 -- Added Content Security Policy (CSP) support.Rob Hudson
This initial work adds a pair of settings to configure specific CSP directives for enforcing or reporting policy violations, a new `django.middleware.csp.ContentSecurityPolicyMiddleware` to apply the appropriate headers to responses, and a context processor to support CSP nonces in templates for safely inlining assets. Relevant documentation has been added for the 6.0 release notes, security overview, a new how-to page, and a dedicated reference section. Thanks to the multiple reviewers for their precise and valuable feedback. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2024-07-04Removed unneeded hyphens in "counterintuitive".Carlton Gibson
Follow-up to 65ad4ade74dc9208b9d686a451cd6045df0c9c3a which added counterintuitive to the wordlist. Removes unneeded (antiquated) hyphenated usages. See e.g. https://www.merriam-webster.com/dictionary/counterintuitive
2024-05-29Fixed 35467 -- Replaced urlparse with urlsplit where appropriate.Jake Howard
This work should not generate any change of functionality, and `urlsplit` is approximately 6x faster. Most use cases of `urlparse` didn't touch the path, so they can be converted to `urlsplit` without any issue. Most of those which do use `.path`, simply parse the URL, mutate the querystring, then put them back together, which is also fine (so long as urlunsplit is used).
2024-02-05Fixed #27225 -- Added "Age" header when fetching cached responses.Rinat Khabibiev
Co-Authored-By: Author: Alexander Lazarević <laza@e11bits.com>
2024-01-26Applied Black's 2024 stable style.Mariusz Felisiak
https://github.com/psf/black/releases/tag/24.1.0
2023-12-08Fixed #34742 -- Made CommonMiddleware raise APPEND_SLASH RuntimeError on ↵Avaneesh Kumar
DELETE requests.
2023-05-02Fixed #34515 -- Made LocaleMiddleware prefer language from paths when i18n ↵Mariusz Felisiak
patterns are used. Regression in 94e7f471c4edef845a4fe5e3160132997b4cca81. This reverts commit 94e7f471c4edef845a4fe5e3160132997b4cca81 (refs #34069) and partly reverts commit 3b4728310a7a64f8fcc548163b0aa5f98a5c78f5. Thanks Anthony Baillard for the report. Co-Authored-By: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2023-01-17Refs #32800 -- Removed CSRF_COOKIE_MASKED transitional setting per ↵Mariusz Felisiak
deprecation timeline.
2022-12-22Fixed #33735 -- Added async support to StreamingHttpResponse.Carlton Gibson
Thanks to Florian Vazelle for initial exploratory work, and to Nick Pope and Mariusz Felisiak for review.
2022-12-17Fixed #34170 -- Implemented Heal The Breach (HTB) in GzipMiddleware.Andreas Pelme
2022-11-14Fixed #34074 -- Added headers argument to RequestFactory and Client classes.David Wobrock
2022-11-10Updated documentation and comments for RFC updates.Nick Pope
- Updated references to RFC 1123 to RFC 5322 - Only partial as RFC 5322 sort of sub-references RFC 1123. - Updated references to RFC 2388 to RFC 7578 - Except RFC 2388 Section 5.3 which has no equivalent. - Updated references to RFC 2396 to RFC 3986 - Updated references to RFC 2616 to RFC 9110 - Updated references to RFC 3066 to RFC 5646 - Updated references to RFC 7230 to RFC 9112 - Updated references to RFC 7231 to RFC 9110 - Updated references to RFC 7232 to RFC 9110 - Updated references to RFC 7234 to RFC 9111 - Tidied up style of text when referring to RFC documents
2022-10-31Used more augmented assignment statements.Nick Pope
Identified using the following command: $ git grep -I '\(\<[_a-zA-Z0-9]\+\>\) *= *\1 *[-+/*^%&|<>@]'
2022-10-13Fixed #34069 -- Made LocaleMiddleware respect language from requests when ↵Sergio
i18n patterns are used.
2022-06-02Fixed #33700 -- Skipped extra resolution for successful requests not ending ↵Anders Kaseorg
with /. By moving a should_redirect_with_slash call out of an if block, commit 9390da7fb6e251eaa9a785692f987296cb14523f negated the performance fix of commit 434d309ef6dbecbfd2b322d3a1da78aa5cb05fa8 (#24720). Meanwhile, the logging issue #26293 that it targeted was subsequently fixed more fully by commit 40b69607c751c4afa453edfd41d2ed155e58187e (#26504), so it is no longer needed. This effectively reverts it. This speeds up successful requests not ending with / when APPEND_SLASH is enabled (the default, and still useful in projects with a mix of URLs with and without trailing /). The amount of speedup varies from about 5% in a typical project to nearly 50% on a benchmark with many routes. Signed-off-by: Anders Kaseorg <andersk@mit.edu>
2022-04-29Refs #30426 -- Updated XFrameOptionsMiddleware docstring.Clemens Wolff
Follow up to 05d0eca635853564c57e639ac5590674a7de2ed6.
2022-02-07Refs #33476 -- Reformatted code with Black.django-bot
2021-11-29Refs #32800 -- Renamed _sanitize_token() to _check_token_format().Chris Jerdonek
2021-11-29Fixed #32800 -- Changed CsrfViewMiddleware not to mask the CSRF secret.Chris Jerdonek
This also adds CSRF_COOKIE_MASKED transitional setting helpful in migrating multiple instance of the same project to Django 4.1+. Thanks Florian Apolloner and Shai Berger for reviews. Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2021-11-03Fixed #33252 -- Made cache middlewares thread-safe.Iuri de Silvio
2021-09-01Fixed #32768 -- Added Vary header when redirecting to prefixed i18n pattern.Alex Hayward
get_language_from_request() uses Accept-Language and/or Cookie to determine the correct redirect. Upstream caches need the matching Vary header to cache the result.
2021-08-17Refs #32800 -- Added _add_new_csrf_cookie() helper function.Chris Jerdonek
This centralizes the logic to use when setting a new cookie. It also eliminates the need for the _get_new_csrf_token() function, which is now removed.
2021-08-17Refs #32800 -- Renamed _set_token() to _set_csrf_cookie().Chris Jerdonek
2021-08-03Refs #32800 -- Renamed _compare_masked_tokens() to _does_token_match().Chris Jerdonek
2021-07-29Refs #32916 -- Replaced request.csrf_cookie_needs_reset with ↵Chris Jerdonek
request.META['CSRF_COOKIE_NEEDS_UPDATE'].
2021-07-29Fixed #32916 -- Combined request.META['CSRF_COOKIE_USED'] and ↵Chris Jerdonek
request.csrf_cookie_needs_reset.
2021-07-23Fixed #32329 -- Made CsrfViewMiddleware catch more specific UnreadablePostError.Virtosu Bogdan
Thanks Chris Jerdonek for the review.
2021-07-23Fixed #32902 -- Fixed CsrfViewMiddleware.process_response()'s cookie reset ↵Chris Jerdonek
logic. Thanks Florian Apolloner and Shai Berger for reviews.
2021-06-23Fixed #32817 -- Added the token source to CsrfViewMiddleware's bad token ↵Chris Jerdonek
error messages.
2021-06-22Fixed #32842 -- Refactored out CsrfViewMiddleware._check_token().Chris Jerdonek
2021-06-12Fixed comment in CsrfViewMiddleware to say _reject instead of reject.Chris Jerdonek
2021-06-01Fixed #32796 -- Changed CsrfViewMiddleware to fail earlier on badly ↵Chris Jerdonek
formatted cookie tokens.
2021-05-31Fixed #32795 -- Changed CsrfViewMiddleware to fail earlier on badly ↵Chris Jerdonek
formatted tokens.
2021-05-29Refs #32778 -- Improved the name of the regex object detecting invalid CSRF ↵Chris Jerdonek
token characters. This also improves the comments near where the variable is used.
2021-05-28Refs #32596 -- Added early return on safe methods in ↵Chris Jerdonek
CsrfViewMiddleware.process_view().
2021-05-28Refs #32596 -- Optimized CsrfViewMiddleware._check_referer() to delay ↵Chris Jerdonek
computing good_referer.
2021-05-28Fixed #32596 -- Added CsrfViewMiddleware._check_referer().Chris Jerdonek
This encapsulates CsrfViewMiddleware's referer logic into a method and updates existing tests to check the "seam" introduced by the refactor, when doing so would improve the test.
2021-05-25Fixed #32778 -- Avoided unnecessary recompilation of token regex in ↵abhiabhi94
_sanitize_token().
2021-04-30Fixed #32678 -- Removed SECURE_BROWSER_XSS_FILTER setting.Tim Graham
2021-03-30Fixed #31840 -- Added support for Cross-Origin Opener Policy header.bankc
Thanks Adam Johnson and Tim Graham for the reviews. Co-authored-by: Tim Graham <timograham@gmail.com>