Address review comments

Author: federicobond

django-stubs/conf/global_settings.pyi

@@ -545,5 +545,5 @@ SECURE_SSL_REDIRECT: bool
 ##################
 # CSP MIDDLEWARE #
 ##################
-SECURE_CSP: dict[str, Any] = {}
-SECURE_CSP_REPORT_ONLY: dict[str, Any] = {}
+SECURE_CSP: dict[str, Sequence[str] | str]
+SECURE_CSP_REPORT_ONLY: dict[str, Sequence[str] | str]

django-stubs/middleware/csp.pyi

@@ -1,7 +1,10 @@
 from django.http import HttpRequest, HttpResponse
 from django.utils.csp import CSP as CSP
+from django.utils.csp import LazyNonce
 from django.utils.deprecation import MiddlewareMixin
 
+def get_nonce(request: HttpRequest) -> LazyNonce | None: ...
+
 class ContentSecurityPolicyMiddleware(MiddlewareMixin):
     def process_request(self, request: HttpRequest) -> None: ...
     def process_response(self, request: HttpRequest, response: HttpResponse) -> HttpResponse: ...

django-stubs/utils/csp.pyi

@@ -1,14 +1,17 @@
 import sys
+from collections.abc import Sequence
+
+from django.utils.functional import SimpleLazyObject
 
 if sys.version_info >= (3, 11):
-    from enum import StrEnum
+    from enum import StrEnum as _StrEnum
 else:
     from enum import Enum
 
-    class ReprEnum(Enum): ...  # type: ignore[misc]
-    class StrEnum(str, ReprEnum): ...  # type: ignore[misc]
+    class _ReprEnum(Enum): ...  # type: ignore[misc]
+    class _StrEnum(str, _ReprEnum): ...  # type: ignore[misc]
 
-class CSP(StrEnum):
+class CSP(_StrEnum):
     HEADER_ENFORCE = "Content-Security-Policy"
     HEADER_REPORT_ONLY = "Content-Security-Policy-Report-Only"
 
@@ -22,3 +25,7 @@ class CSP(StrEnum):
     WASM_UNSAFE_EVAL = "'wasm-unsafe-eval'"
 
     NONCE = "<CSP_NONCE_SENTINEL>"
+
+class LazyNonce(SimpleLazyObject): ...
+
+def build_policy(config: dict[str, Sequence[str] | str], nonce: SimpleLazyObject | str | None = None) -> str: ...

django-stubs/views/decorators/csp.pyi

@@ -1,7 +1,7 @@
-from collections.abc import Callable
+from collections.abc import Callable, Sequence
 from typing import Any, TypeVar
 
 _F = TypeVar("_F", bound=Callable[..., Any])
 
-def csp_override(config: dict[str, Any]) -> Callable[[_F], _F]: ...
-def csp_report_only_override(config: dict[str, Any]) -> Callable[[_F], _F]: ...
+def csp_override(config: dict[str, Sequence[str] | str]) -> Callable[[_F], _F]: ...
+def csp_report_only_override(config: dict[str, Sequence[str] | str]) -> Callable[[_F], _F]: ...

tests/assert_type/views/test_decorators.py

@@ -0,0 +1,24 @@
+from django.http import HttpRequest, HttpResponse
+from django.views.decorators.csp import csp_override, csp_report_only_override
+from typing_extensions import assert_type
+
+
+@csp_override(
+    {
+        "default-src": ["'self'"],
+        "script-src": ["'self'", "'unsafe-inline'"],
+    }
+)
+def my_view(request: HttpRequest) -> HttpResponse: ...
+
+@csp_report_only_override(
+    {
+        "default-src": ["'self'"],
+        "script-src": ["'self'", "'unsafe-inline'"],
+    }
+)
+def my_view2(request: HttpRequest) -> HttpResponse: ...
+
+
+assert_type(my_view(HttpRequest()), HttpResponse)
+assert_type(my_view2(HttpRequest()), HttpResponse)