@@ -950,25 +950,47 @@ def init_sentry(before_send: Callable | None = None):
950950# ideally we'd use BASE_URI but it'd have to be lazy or cause issues
951951CSP_DEFAULT_SRC = [
952952 "'self'" ,
953- ] + config ("CSP_EXTRA_DEFAULT_SRC" , default = [], split = True )
953+ ] + config (
954+ "CSP_EXTRA_DEFAULT_SRC" ,
955+ default = [],
956+ split = True ,
957+ help_text = "Extra default source URLs for CSP other than ``self``. "
958+ "Used for ``img-src``, ``style-src`` and ``script-src``" ,
959+ )
954960
955961CSP_REPORT_PERCENTAGE = config ("CSP_REPORT_PERCENTAGE" , 1.0 ) # float between 0 and 1
956962
957963CSP_FORM_ACTION = (
958964 config (
959965 "CSP_FORM_ACTION" ,
960966 default = ["\" 'self'\" " ]
961- + config ("CSP_EXTRA_FORM_ACTION" , default = [], split = True ),
967+ + config (
968+ "CSP_EXTRA_FORM_ACTION" ,
969+ default = [],
970+ split = True ,
971+ help_text = "Add additional ``form-action`` source to the default " ,
972+ ),
962973 split = True ,
974+ help_text = "Override the default ``form-action`` source" ,
963975 )
964976 + CORS_ALLOWED_ORIGINS
965977)
966978
967- CSP_IMG_SRC = CSP_DEFAULT_SRC + config ("CSP_EXTRA_IMG_SRC" , default = [], split = True )
979+ CSP_IMG_SRC = CSP_DEFAULT_SRC + config (
980+ "CSP_EXTRA_IMG_SRC" ,
981+ default = [],
982+ split = True ,
983+ help_text = "Extra ``img-src`` sources for CSP other than ``CSP_DEFAULT_SRC``." ,
984+ )
968985
969986# affects <object> and <embed> tags, block everything by default but allow deploy-time
970987# overrides.
971- CSP_OBJECT_SRC = config ("CSP_OBJECT_SRC" , default = ["\" 'none'\" " ], split = True )
988+ CSP_OBJECT_SRC = config (
989+ "CSP_OBJECT_SRC" ,
990+ default = ["\" 'none'\" " ],
991+ split = True ,
992+ help_text = "``object-src`` urls" ,
993+ )
972994
973995# we must include this explicitly, otherwise the style-src only includes the nonce because
974996# of CSP_INCLUDE_NONCE_IN
0 commit comments