p31829507
/
django
mirror of https://github.com/django/django.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Refs #31949 -- Made @xframe_options_(deny/sameorigin/exempt) decorators to work with async functions.

This commit is contained in:
Ben Lomax 2023-04-26 07:08:33 +01:00 committed by Mariusz Felisiak
parent b43936f2ec
commit 00f5d2d110
6 changed files with 144 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
AUTHORS
View File

@ -137,6 +137,7 @@ answer newbie questions, and generally made Django that much better:
Ben Godfrey <http://aftnn.org> Ben Godfrey <http://aftnn.org>
Benjamin Wohlwend <piquadrat@gmail.com> Benjamin Wohlwend <piquadrat@gmail.com>
Ben Khoo <khoobks@westnet.com.au> Ben Khoo <khoobks@westnet.com.au>
Ben Lomax <lomax.on.the.run@gmail.com>
Ben Slavin <benjamin.slavin@gmail.com> Ben Slavin <benjamin.slavin@gmail.com>
Ben Sturmfels <ben@sturm.com.au> Ben Sturmfels <ben@sturm.com.au>
Berker Peksag <berker.peksag@gmail.com> Berker Peksag <berker.peksag@gmail.com>

68
django/views/decorators/clickjacking.py
View File

@ -1,5 +1,7 @@
from functools import wraps from functools import wraps
from asgiref.sync import iscoroutinefunction
def xframe_options_deny(view_func): def xframe_options_deny(view_func):
""" """
@ -12,14 +14,23 @@ def xframe_options_deny(view_func):
... ...
""" """
@wraps(view_func) if iscoroutinefunction(view_func):
def wrapper_view(*args, **kwargs):
resp = view_func(*args, **kwargs)
if resp.get("X-Frame-Options") is None:
resp["X-Frame-Options"] = "DENY"
return resp
return wrapper_view async def _view_wrapper(*args, **kwargs):
response = await view_func(*args, **kwargs)
if response.get("X-Frame-Options") is None:
response["X-Frame-Options"] = "DENY"
return response
else:
def _view_wrapper(*args, **kwargs):
response = view_func(*args, **kwargs)
if response.get("X-Frame-Options") is None:
response["X-Frame-Options"] = "DENY"
return response
return wraps(view_func)(_view_wrapper)
def xframe_options_sameorigin(view_func): def xframe_options_sameorigin(view_func):
@ -33,14 +44,23 @@ def xframe_options_sameorigin(view_func):
... ...
""" """
@wraps(view_func) if iscoroutinefunction(view_func):
def wrapper_view(*args, **kwargs):
resp = view_func(*args, **kwargs)
if resp.get("X-Frame-Options") is None:
resp["X-Frame-Options"] = "SAMEORIGIN"
return resp
return wrapper_view async def _view_wrapper(*args, **kwargs):
response = await view_func(*args, **kwargs)
if response.get("X-Frame-Options") is None:
response["X-Frame-Options"] = "SAMEORIGIN"
return response
else:
def _view_wrapper(*args, **kwargs):
response = view_func(*args, **kwargs)
if response.get("X-Frame-Options") is None:
response["X-Frame-Options"] = "SAMEORIGIN"
return response
return wraps(view_func)(_view_wrapper)
def xframe_options_exempt(view_func): def xframe_options_exempt(view_func):
@ -53,10 +73,18 @@ def xframe_options_exempt(view_func):
... ...
""" """
@wraps(view_func) if iscoroutinefunction(view_func):
def wrapper_view(*args, **kwargs):
resp = view_func(*args, **kwargs)
resp.xframe_options_exempt = True
return resp
return wrapper_view async def _view_wrapper(*args, **kwargs):
response = await view_func(*args, **kwargs)
response.xframe_options_exempt = True
return response
else:
def _view_wrapper(*args, **kwargs):
response = view_func(*args, **kwargs)
response.xframe_options_exempt = True
return response
return wraps(view_func)(_view_wrapper)

10
docs/ref/clickjacking.txt
View File

@ -90,6 +90,11 @@ that tells the middleware not to set the header::
iframe, you may need to modify the :setting:`CSRF_COOKIE_SAMESITE` or iframe, you may need to modify the :setting:`CSRF_COOKIE_SAMESITE` or
:setting:`SESSION_COOKIE_SAMESITE` settings. :setting:`SESSION_COOKIE_SAMESITE` settings.
.. versionchanged:: 5.0
Support for wrapping asynchronous view functions was added to the
``@xframe_options_exempt`` decorator.
Setting ``X-Frame-Options`` per view Setting ``X-Frame-Options`` per view
------------------------------------ ------------------------------------
@ -113,6 +118,11 @@ decorators::
Note that you can use the decorators in conjunction with the middleware. Use of Note that you can use the decorators in conjunction with the middleware. Use of
a decorator overrides the middleware. a decorator overrides the middleware.
.. versionchanged:: 5.0
Support for wrapping asynchronous view functions was added to the
``@xframe_options_deny`` and ``@xframe_options_sameorigin`` decorators.
Limitations Limitations
=========== ===========

10
docs/releases/5.0.txt
View File

@ -233,9 +233,13 @@ CSRF
Decorators Decorators
~~~~~~~~~~ ~~~~~~~~~~
* The :func:`~django.views.decorators.cache.cache_control` and * The following decorators now support wrapping asynchronous view functions:
:func:`~django.views.decorators.cache.never_cache` decorators now support
wrapping asynchronous view functions. * :func:`~django.views.decorators.cache.cache_control`
* :func:`~django.views.decorators.cache.never_cache`
* ``xframe_options_deny()``
* ``xframe_options_sameorigin()``
* ``xframe_options_exempt()``
Email Email
~~~~~ ~~~~~

3
docs/topics/async.txt
View File

@ -83,6 +83,9 @@ view functions:
* :func:`~django.views.decorators.cache.cache_control` * :func:`~django.views.decorators.cache.cache_control`
* :func:`~django.views.decorators.cache.never_cache` * :func:`~django.views.decorators.cache.never_cache`
* ``xframe_options_deny()``
* ``xframe_options_sameorigin()``
* ``xframe_options_exempt()``
For example:: For example::

75
tests/decorators/test_clickjacking.py
View File

@ -1,3 +1,5 @@
from asgiref.sync import iscoroutinefunction
from django.http import HttpRequest, HttpResponse from django.http import HttpRequest, HttpResponse
from django.middleware.clickjacking import XFrameOptionsMiddleware from django.middleware.clickjacking import XFrameOptionsMiddleware
from django.test import SimpleTestCase from django.test import SimpleTestCase
@ -9,6 +11,20 @@ from django.views.decorators.clickjacking import (
class XFrameOptionsDenyTests(SimpleTestCase): class XFrameOptionsDenyTests(SimpleTestCase):
def test_wrapped_sync_function_is_not_coroutine_function(self):
def sync_view(request):
return HttpResponse()
wrapped_view = xframe_options_deny(sync_view)
self.assertIs(iscoroutinefunction(wrapped_view), False)
def test_wrapped_async_function_is_coroutine_function(self):
async def async_view(request):
return HttpResponse()
wrapped_view = xframe_options_deny(async_view)
self.assertIs(iscoroutinefunction(wrapped_view), True)
def test_decorator_sets_x_frame_options_to_deny(self): def test_decorator_sets_x_frame_options_to_deny(self):
@xframe_options_deny @xframe_options_deny
def a_view(request): def a_view(request):
@ -17,8 +33,30 @@ class XFrameOptionsDenyTests(SimpleTestCase):
response = a_view(HttpRequest()) response = a_view(HttpRequest())
self.assertEqual(response.headers["X-Frame-Options"], "DENY") self.assertEqual(response.headers["X-Frame-Options"], "DENY")
async def test_decorator_sets_x_frame_options_to_deny_async_view(self):
@xframe_options_deny
async def an_async_view(request):
return HttpResponse()
response = await an_async_view(HttpRequest())
self.assertEqual(response.headers["X-Frame-Options"], "DENY")
class XFrameOptionsSameoriginTests(SimpleTestCase): class XFrameOptionsSameoriginTests(SimpleTestCase):
def test_wrapped_sync_function_is_not_coroutine_function(self):
def sync_view(request):
return HttpResponse()
wrapped_view = xframe_options_sameorigin(sync_view)
self.assertIs(iscoroutinefunction(wrapped_view), False)
def test_wrapped_async_function_is_coroutine_function(self):
async def async_view(request):
return HttpResponse()
wrapped_view = xframe_options_sameorigin(async_view)
self.assertIs(iscoroutinefunction(wrapped_view), True)
def test_decorator_sets_x_frame_options_to_sameorigin(self): def test_decorator_sets_x_frame_options_to_sameorigin(self):
@xframe_options_sameorigin @xframe_options_sameorigin
def a_view(request): def a_view(request):
@ -27,8 +65,30 @@ class XFrameOptionsSameoriginTests(SimpleTestCase):
response = a_view(HttpRequest()) response = a_view(HttpRequest())
self.assertEqual(response.headers["X-Frame-Options"], "SAMEORIGIN") self.assertEqual(response.headers["X-Frame-Options"], "SAMEORIGIN")
async def test_decorator_sets_x_frame_options_to_sameorigin_async_view(self):
@xframe_options_sameorigin
async def an_async_view(request):
return HttpResponse()
response = await an_async_view(HttpRequest())
self.assertEqual(response.headers["X-Frame-Options"], "SAMEORIGIN")
class XFrameOptionsExemptTests(SimpleTestCase): class XFrameOptionsExemptTests(SimpleTestCase):
def test_wrapped_sync_function_is_not_coroutine_function(self):
def sync_view(request):
return HttpResponse()
wrapped_view = xframe_options_exempt(sync_view)
self.assertIs(iscoroutinefunction(wrapped_view), False)
def test_wrapped_async_function_is_coroutine_function(self):
async def async_view(request):
return HttpResponse()
wrapped_view = xframe_options_exempt(async_view)
self.assertIs(iscoroutinefunction(wrapped_view), True)
def test_decorator_stops_x_frame_options_being_set(self): def test_decorator_stops_x_frame_options_being_set(self):
""" """
@xframe_options_exempt instructs the XFrameOptionsMiddleware to NOT set @xframe_options_exempt instructs the XFrameOptionsMiddleware to NOT set
@ -48,3 +108,18 @@ class XFrameOptionsExemptTests(SimpleTestCase):
# middleware's functionality. # middleware's functionality.
middleware_response = XFrameOptionsMiddleware(a_view)(request) middleware_response = XFrameOptionsMiddleware(a_view)(request)
self.assertIsNone(middleware_response.get("X-Frame-Options")) self.assertIsNone(middleware_response.get("X-Frame-Options"))
async def test_exempt_decorator_async_view(self):
@xframe_options_exempt
async def an_async_view(request):
return HttpResponse()
request = HttpRequest()
response = await an_async_view(request)
self.assertIsNone(response.get("X-Frame-Options"))
self.assertIs(response.xframe_options_exempt, True)
# The real purpose of the exempt decorator is to suppress the
# middleware's functionality.
middleware_response = await XFrameOptionsMiddleware(an_async_view)(request)
self.assertIsNone(middleware_response.get("X-Frame-Options"))