[Django] #37149: Use securitypolicyviolation event listener in tearDown() to check CSP violations for integration tests

Mon, 08 Jun 2026 05:56:06 -0700 

#37149: Use securitypolicyviolation event listener in tearDown() to check CSP
violations for integration tests
-------------------------------------+-------------------------------------
     Reporter:  Varun Kasyap         |                     Type:
  Pentamaraju                        |  Cleanup/optimization
       Status:  new                  |                Component:  Testing
                                     |  framework
      Version:  dev                  |                 Severity:  Normal
     Keywords:                       |             Triage Stage:
                                     |  Unreviewed
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
 Several integration tests currently verify that no Content Security Policy
 (CSP) violations occurred by inspecting browser logs in `tearDown()`:

 in `django\contrib\admin\tests.py`:

 {{{
 #!python
     def tearDown(self):
         # Ensure that no CSP violations were logged in the browser.
         self.assertEqual(self.get_browser_logs(source="security"), [])
 }}}

 the current logic relying on `get_browser_logs()` to check no CSP
 violations:

 {{{
 #!python
     def get_browser_logs(self, source=None, level="ALL"):
         """
         Return Chrome console logs filtered by level and optionally
 source.
         """
         try:
             logs = self.selenium.get_log("browser")
         except AttributeError:
             logs = []
         return [
             log
             for log in logs
             if (level == "ALL" or log["level"] == level)
             and (source is None or log["source"] == source)
         ]
 }}}

 however, `get_browser_logs()` is only supported for chrome and being
 skipped for non-chrome browsers.

 A browser-independent alternative would be to register a
 `securitypolicyviolation` event listener in the test page and collect
 violations in `tearDown()`.
-- 
Ticket URL: <https://code.djangoproject.com/ticket/37149>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion visit 
https://groups.google.com/d/msgid/django-updates/0107019ea74ddba2-ec203914-fa7d-4e14-82b7-68a1f7b2c185-000000%40eu-central-1.amazonses.com.

Reply via email to