Content-Security-Policy Optimizations

[rfultz]

BACK STORY
For GTM, I needed to add a couple entries to our CSP (so the debugger could load).

The current approach is in middleware.py and we’re creating a dictionary of lists, then appending strings to those lists based on environment. (e.g. style-src is set to ['self', 'unsafe-inline', data:] and we append https://fonts.googleapis.com https://tagmanager.google.com/ https://www.googletagmanager.com/debug/ for not-prod)

Laura had commented that we could use extend when we’re adding more than one, rather than adding a single string of multiple items to the end of a list. Out of curiosity, I looked into the performance differences between append and extend.

print('APPEND ', request.path, ' - ', timeit.timeit(
    'csp["default-src"].append("localhost:* http://127.0.0.1:*")',
    'csp={"default-src": ["self","*.fec.gov","*.app.cloud.gov"],"connect-src": ["self","*.fec.gov","*.app.cloud.gov","https://www.google-analytics.com"]}',
))

print('EXTEND ', request.path, ' - ', timeit.timeit(
    'csp["default-src"].extend(["localhost:*","http://127.0.0.1:*"])',
    'csp={"default-src": ["self","*.fec.gov","*.app.cloud.gov"],"connect-src": ["self","*.fec.gov","*.app.cloud.gov","https://www.google-analytics.com"]}',
))

FINDINGS
extend takes an average of .3 seconds longer than the same append.

Worse: the timeit function fires every time any asset is requested*—for every page, every image…

*Am I reading it incorrectly? Is it happening only for localhost?

QUESTION
What d’you think about setting the various CSP string values somewhere like settings/production.py, dev.py, etc? These values are set at deploy and never change*—seems wasteful to re-calculate them every time any asset is requested

*apart from additions for when a user is logged in to the CMS

Logs
these are the logs for the homepage:

APPEND  /  -  0.09217875700000278
EXTEND  /  -  0.15967835999999735

APPEND  /media/images/Dickerson.original.png  -  0.46827753300000197
APPEND  /media/images/Broussard_S.original.png  -  0.4253112329999986
APPEND  /media/images/headshot--weintraub_GmIreiA.original.png  -  0.5917386719999982
APPEND  /media/images/Cooksey.original.png  -  0.6188097930000005
APPEND  /media/images/headshot--trainor.original.png  -  0.6825563189999997
APPEND  /media/images/headshot--walther.original.png  -  0.6589632230000007

EXTEND  /media/images/headshot--weintraub_GmIreiA.original.png  -  0.8859779359999997
EXTEND  /media/images/Broussard_S.original.png  -  1.0677596109999996
EXTEND  /media/images/Cooksey.original.png  -  0.8638424969999967
EXTEND  /media/images/Dickerson.original.png  -  1.1074821539999995
EXTEND  /media/images/headshot--trainor.original.png  -  0.9443037020000027
EXTEND  /media/images/headshot--walther.original.png  -  0.8281233330000006