Always apply NonceInfo when present

NonceInfo was set in a '/usertraffic' request but not added to the header.
agdsn · Oct 7, 2023 · 9f9e9a4 · 9f9e9a4
1 parent e6d341d
commit 9f9e9a4
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 17 deletions.
diff --git a/sipa/blueprints/usersuite.py b/sipa/blueprints/usersuite.py
@@ -14,8 +14,6 @@
     abort,
     request,
     current_app,
-    make_response,
-    g,
 )
 from flask_babel import format_date, gettext
 from flask_login import current_user, login_required
@@ -39,7 +37,6 @@
     SubnetFull,
 )
 from sipa.model.misc import PaymentDetails
-from sipa.utils.csp import NonceInfo
 
 logger = logging.getLogger(__name__)
 
@@ -115,19 +112,7 @@ def index():
             logs=info.history,
         )
 
-    resp = make_response(
-        render_template("usersuite/index.html", payment_form=payment_form, **context)
-    )
-    nonce_info = g.nonce_info
-    if nonce_info is None:
-        logger.error(
-            "nonce_info not set after rendering usersuite index", exc_info=True
-        )
-        return resp
-
-    assert isinstance(nonce_info, NonceInfo)
-    nonce_info.apply_to_csp(resp.content_security_policy)
-    return resp
+    return render_template("usersuite/index.html", payment_form=payment_form, **context)
 
 
 @bp_usersuite.route("/contact", methods=['GET', 'POST'])

diff --git a/sipa/initialization.py b/sipa/initialization.py
@@ -5,6 +5,7 @@
 from datetime import datetime
 
 import sentry_sdk
+from flask import g
 from flask_babel import Babel, get_locale
 from werkzeug import Response
 from werkzeug.middleware.proxy_fix import ProxyFix
@@ -23,7 +24,7 @@
 from sipa.session import SeparateLocaleCookieSessionInterface
 from sipa.utils import url_self, support_hotline_available, meetingcal
 from sipa.utils.babel_utils import get_weekday
-from sipa.utils.csp import ensure_items
+from sipa.utils.csp import ensure_items, NonceInfo
 from sipa.utils.git_utils import init_repo, update_repo
 from sipa.utils.graph_utils import generate_traffic_chart, provide_render_function
 
@@ -226,6 +227,8 @@ def init_logging(app):
 
 
 def ensure_csp(r: Response) -> Response:
+    apply_nonces_to_csp(r)
+
     csp = r.content_security_policy
     SELF = ("'self'",)
     csp.default_src = ensure_items(csp.default_src, SELF)
@@ -259,3 +262,13 @@ def ensure_csp(r: Response) -> Response:
     csp.worker_src = ensure_items(csp.worker_src, ("'none'",))
     # there doesn't seem to be a good way to set `upgrade-insecure-requests`
     return r
+
+
+def apply_nonces_to_csp(r: Response) -> None:
+    if not hasattr(g, "nonce_info"):
+        return
+
+    nonce_info = g.nonce_info
+    assert isinstance(nonce_info, NonceInfo)
+
+    nonce_info.apply_to_csp(r.content_security_policy)