Fixed #15727 -- Added Content Security Policy (CSP) support.

This initial work adds a pair of settings to configure specific CSP
directives for enforcing or reporting policy violations, a new
`django.middleware.csp.ContentSecurityPolicyMiddleware` to apply the
appropriate headers to responses, and a context processor to support CSP
nonces in templates for safely inlining assets.

Relevant documentation has been added for the 6.0 release notes,
security overview, a new how-to page, and a dedicated reference section.

Thanks to the multiple reviewers for their precise and valuable feedback.

Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>

1 files changed, 8 insertions, 0 deletions

diff --git a/django/template/context_processors.py b/django/template/context_processors.py
index 32753032fc..f9e5f218e4 100644
--- a/django/template/context_processors.py
+++ b/django/template/context_processors.py
@@ -10,6 +10,7 @@ of a DjangoTemplates backend and used by RequestContext.
 import itertools
 
 from django.conf import settings
+from django.middleware.csp import get_nonce
 from django.middleware.csrf import get_token
 from django.utils.functional import SimpleLazyObject, lazy
 
@@ -87,3 +88,10 @@ def media(request):
 
 def request(request):
     return {"request": request}
+
+
+def csp(request):
+    """
+    Add the CSP nonce to the context.
+    """
+    return {"csp_nonce": get_nonce(request)}