1 files changed, 64 insertions, 1 deletions

diff --git a/tests/context_processors/tests.py b/tests/context_processors/tests.py
index ba92ff8b05..737ff3e1cf 100644
--- a/tests/context_processors/tests.py
+++ b/tests/context_processors/tests.py
@@ -2,7 +2,8 @@
 Tests for Django's bundled context processors.
 """
 
-from django.test import SimpleTestCase, TestCase, override_settings
+from django.test import SimpleTestCase, TestCase, modify_settings, override_settings
+from django.utils.csp import CSP
 
 
 @override_settings(
@@ -96,3 +97,65 @@ class DebugContextProcessorTests(TestCase):
         self.assertContains(response, "Third query list: 2")
         # Check queries for DB connection 'other'
         self.assertContains(response, "Fourth query list: 3")
+
+
+@override_settings(
+    ROOT_URLCONF="context_processors.urls",
+    TEMPLATES=[
+        {
+            "BACKEND": "django.template.backends.django.DjangoTemplates",
+            "APP_DIRS": True,
+            "OPTIONS": {
+                "context_processors": [
+                    "django.template.context_processors.csp",
+                ],
+            },
+        }
+    ],
+    MIDDLEWARE=[
+        "django.middleware.csp.ContentSecurityPolicyMiddleware",
+    ],
+    SECURE_CSP={
+        "script-src": [CSP.SELF, CSP.NONCE],
+    },
+)
+class CSPContextProcessorTests(TestCase):
+    """
+    Tests for the django.template.context_processors.csp_nonce processor.
+    """
+
+    def test_csp_nonce_in_context(self):
+        response = self.client.get("/csp_nonce/")
+        self.assertIn("csp_nonce", response.context)
+
+    @modify_settings(
+        MIDDLEWARE={"remove": "django.middleware.csp.ContentSecurityPolicyMiddleware"}
+    )
+    def test_csp_nonce_in_context_no_middleware(self):
+        response = self.client.get("/csp_nonce/")
+        self.assertIn("csp_nonce", response.context)
+
+    def test_csp_nonce_in_header(self):
+        response = self.client.get("/csp_nonce/")
+        self.assertIn(CSP.HEADER_ENFORCE, response.headers)
+        csp_header = response.headers[CSP.HEADER_ENFORCE]
+        nonce = response.context["csp_nonce"]
+        self.assertIn(f"'nonce-{nonce}'", csp_header)
+
+    def test_different_nonce_per_request(self):
+        response1 = self.client.get("/csp_nonce/")
+        response2 = self.client.get("/csp_nonce/")
+        self.assertNotEqual(
+            response1.context["csp_nonce"],
+            response2.context["csp_nonce"],
+        )
+
+    def test_csp_nonce_in_template(self):
+        response = self.client.get("/csp_nonce/")
+        nonce = response.context["csp_nonce"]
+        self.assertIn(f'<script nonce="{nonce}">', response.text)
+
+    def test_csp_nonce_length(self):
+        response = self.client.get("/csp_nonce/")
+        nonce = response.context["csp_nonce"]
+        self.assertEqual(len(nonce), 22)  # Based on secrets.token_urlsafe of 16 bytes.