build(deps): bump django-csp from 3.8 to 4.0 in /django_app

[dependabot]

Bumps django-csp from 3.8 to 4.0.

Release notes

Sourced from django-csp's releases.

v4.0

This release contains several breaking changes. For a complete migration guide, see: https://django-csp.readthedocs.io/en/latest/migration-guide.html

Breaking Changes

• Configuration Format: Moved to dict-based configuration which allows for setting policies for both enforced and report-only. Instead of using individual settings with CSP_ prefixes, you now use dictionaries called CONTENT_SECURITY_POLICY and/or CONTENT_SECURITY_POLICY_REPORT_ONLY. (#219)

  You can use Django's check command to automatically identify existing CSP settings and generate a template for the new configuration format:

  python manage.py check
  

  This will detect your old CSP_ prefixed settings and output a draft of the new dict-based configuration, giving you a starting point for migration.

  Example:

  Change from:

  CSP_DEFAULT_SRC = ["'self'", "*.example.com"]
  CSP_SCRIPT_SRC = ["'self'", "js.cdn.com/example/"]
  CSP_IMG_SRC = ["'self'", "data:", "example.com"]
  CSP_EXCLUDE_URL_PREFIXES = ["/admin"]

  to:

  from csp.constants import SELF
  CONTENT_SECURITY_POLICY = {
  "DIRECTIVES": {
  "default-src": [SELF, "*.example.com"],
  "script-src": [SELF, "js.cdn.com/example/"],
  "img-src": [SELF, "data:", "example.com"],
  },
  "EXCLUDE_URL_PREFIXES": ["/admin"],
  }

• Nonce Configuration: Switched from specifying directives that should contain nonces as a separate list to using a sentinel NONCE value in the directive itself. (#223)

  Example:

... (truncated)

Changelog

Sourced from django-csp's changelog.

4.0

This release contains several breaking changes. For a complete migration guide, see: https://django-csp.readthedocs.io/en/latest/migration-guide.html

Breaking Changes

• Configuration Format: Moved to dict-based configuration which allows for setting policies for both enforced and report-only. Instead of using individual settings with CSP_ prefixes, you now use dictionaries called CONTENT_SECURITY_POLICY and/or CONTENT_SECURITY_POLICY_REPORT_ONLY. (#219)

  You can use Django's check command to automatically identify existing CSP settings and generate a template for the new configuration format:

  python manage.py check
  

  This will detect your old CSP_ prefixed settings and output a draft of the new dict-based configuration, giving you a starting point for migration.

  Example:

  Change from:

  CSP_DEFAULT_SRC = ["'self'", "*.example.com"]
  CSP_SCRIPT_SRC = ["'self'", "js.cdn.com/example/"]
  CSP_IMG_SRC = ["'self'", "data:", "example.com"]
  CSP_EXCLUDE_URL_PREFIXES = ["/admin"]

  to:

  from csp.constants import SELF
  CONTENT_SECURITY_POLICY = {
  "DIRECTIVES": {
  "default-src": [SELF, "*.example.com"],
  "script-src": [SELF, "js.cdn.com/example/"],
  "img-src": [SELF, "data:", "example.com"],
  },
  "EXCLUDE_URL_PREFIXES": ["/admin"],
  }

• Nonce Configuration: Switched from specifying directives that should contain nonces as a separate list to using a sentinel NONCE value in the directive itself. (#223)

... (truncated)

Commits

• 6d5cc6c Prep for 4.0 release
• 9d06e25 docs: Update configuration exclude info
• d6bff9f Prep for 4.0b7 release
• 395d928 Remove CSPMiddlewareAlwaysGenerateNonce
• 4054a7b Prepare for 4.0b6 release
• 3553412 Fix CSPMiddlewareAlwaysGenerateNonce
• 970be26 Prep for django-csp==4.0b5
• 834e628 Reformat with pyproject-fmt
• 580c1fc Upgrade ReadTheDocs environment
• 40c89d4 Expand tests for nonce usage in templates
• Additional commits viewable in compare view

[github-actions]

Dependency Review

✅ No vulnerabilities or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 98753ea.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

OpenSSF Scorecard

Package	Version	Score	Details
pip/django-csp	4.0	Unknown	Unknown

Scanned Files

• django_app/poetry.lock