drop deprecated middlewares

sdelements · Jun 7, 2024 · a3af3b8 · a3af3b8
1 parent 6a43ba4
commit a3af3b8
Show file tree

Hide file tree

Showing 4 changed files with 3 additions and 359 deletions.
diff --git a/README.md b/README.md
@@ -40,8 +40,8 @@ Middleware modules can be added to `MIDDLEWARE` list in settings file:
 
     MIDDLEWARE = (
         ...
-        'security.middleware.DoNotTrackMiddleware',
-        'security.middleware.XFrameOptionsMiddleware',
+        'security.middleware.LoginRequiredMiddleware',
+        ...
     )
 
 Unlike the modules listed above, some other modules **require**  configuration settings,
@@ -73,12 +73,6 @@ or minimum configuration.
 <td>Required.</td>
 </tr>
 
-<tr>
-<td><a href="http://django-security.readthedocs.org/en/latest/#security.middleware.DoNotTrackMiddleware">DoNotTrackMiddleware</a></td>
-<td>Read user browser's DoNotTrack preference and pass it to application.  <em>Recommended,</em> requires implementation in views and templates.</td>
-<td>None.</td>
-</tr>
-
 <tr>
 <td><a href="http://django-security.readthedocs.org/en/latest/#security.middleware.LoginRequiredMiddleware">LoginRequiredMiddleware</a></td>
 <td>Requires a user to be authenticated to view any page on the site that hasn't been white listed.</td>
@@ -97,12 +91,6 @@ or minimum configuration.
 <td>Required.</td>
 </tr>
 
-<tr>
-<td><a href="http://django-security.readthedocs.org/en/latest/#security.middleware.P3PPolicyMiddleware">P3PPolicyMiddleware</a></td>
-<td><b>DEPRECATED: </b>Will be removed in future releases.<br/>Adds the HTTP header attribute specifying compact P3P policy.</td>
-<td>Required.</td>
-</tr>
-
 <tr>
 <td><a href="http://django-security.readthedocs.org/en/latest/#security.middleware.ReferrerPolicyMiddleware">ReferrerPolicyMiddleware</a></td>
 <td>Specify when the browser will set a `Referer` header.</td>
@@ -115,18 +103,6 @@ or minimum configuration.
 <td>Required.</td>
 </tr>
 
-<tr>
-<td><a href="http://django-security.readthedocs.org/en/latest/#security.middleware.StrictTransportSecurityMiddleware">StrictTransportSecurityMiddleware</a></td>
-<td><b>DEPRECATED: </b>Will be removed in future releases, consider <a href="https://docs.djangoproject.com/en/4.2/ref/middleware/#django.middleware.security.SecurityMiddleware">django.middleware.security.SecurityMiddleware</a> via <i>SECURE_HSTS_SECONDS</i>, <i>SECURE_HSTS_INCLUDE_SUBDOMAINS</i> and <i>SECURE_HSTS_PRELOAD</i> settings.<br/>Enforce SSL/TLS connection and disable plaintext fall-back. <em>Recommended</em> for SSL/TLS sites.</td>
-<td>Optional.</td>
-</tr>
-
-<tr>
-<td><a href="http://django-security.readthedocs.org/en/latest/#security.middleware.XFrameOptionsMiddleware">XFrameOptionsMiddleware</a></td>
-<td>Disable framing of the website, mitigating Clickjacking attacks. <em>Recommended.</em></td>
-<td>Optional.</td>
-</tr>
-
 <tr>
 <td><a href="http://django-security.readthedocs.org/en/latest/#security.middleware.ProfilingMiddleware">ProfilingMiddleware</a></td>
 <td>A simple middleware to capture useful profiling information in Django.</td>

diff --git a/security/middleware.py b/security/middleware.py
@@ -24,7 +24,6 @@
 from ua_parser import user_agent_parser
 
 logger = logging.getLogger(__name__)
-DJANGO_SECURITY_MIDDLEWARE_URL = "https://docs.djangoproject.com/en/4.2/ref/middleware/#django.middleware.security.SecurityMiddleware"
 DJANGO_CLICKJACKING_MIDDLEWARE_URL = (
     "https://docs.djangoproject.com/en/4.2/ref/clickjacking/"
 )
@@ -187,86 +186,6 @@ def process_response(self, request, response):
         return response
 
 
-class XssProtectMiddleware(BaseMiddleware):
-    """
-    DEPRECATED: Will be removed in future releases. Consider
-    django.middleware.security.SecurityMiddleware as a replacement for this via
-    SECURE_BROWSER_XSS_FILTER setting.
-
-    Sends X-XSS-Protection HTTP header that controls Cross-Site Scripting
-    filter on MSIE. Use XSS_PROTECT option in settings file with the following
-    values:
-
-      ``sanitize``   enable XSS filter that tries to sanitize requests instead
-      of blocking (*default*)
-
-      ``on``         enable full XSS filter blocking XSS requests (may `leak
-      document.referrer <http://homakov.blogspot.com/2013/02/hacking-with-xss-
-      auditor.html>`_)
-
-      ``off``        completely disable XSS filter
-
-    **Note:** As of 1.8, Django's `SECURE_BROWSER_XSS_FILTER
-    <https://docs.djangoproject.com/en/1.8/ref/settings/#secure-browser-xss-filter>`_
-    controls the X-XSS-Protection header.
-
-    Reference:
-
-    - `Controlling the XSS Filter
-      <http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-
-      internet-explorer-xss-filter-with-the-x-xss-protection-http-
-      header.aspx>`_
-    """
-
-    OPTIONAL_SETTINGS = ("XSS_PROTECT",)
-
-    OPTIONS = {
-        "on": "1; mode=block",
-        "off": "0",
-        "sanitize": "1",
-    }
-
-    DEFAULT = "sanitize"
-
-    def __init__(self, get_response=None):
-        super().__init__(get_response)
-        warnings.warn(
-            (
-                'DEPRECATED: The middleware "{name}" will no longer be '
-                "supported in future releases of this library. Refer to {url} for "
-                "an alternative approach with regards to the settings: {settings}"
-            ).format(
-                name=self.__class__.__name__,
-                url=DJANGO_SECURITY_MIDDLEWARE_URL,
-                settings="SECURE_BROWSER_XSS_FILTER",
-            ),
-            stacklevel=2,
-        )
-
-    def load_setting(self, setting, value):
-        if not value:
-            self.option = self.DEFAULT
-            return
-
-        value = value.lower()
-
-        if value in self.OPTIONS.keys():
-            self.option = value
-            return
-
-        raise ImproperlyConfigured(
-            self.__class__.__name__ + " invalid option for XSS_PROTECT."
-        )
-
-    def process_response(self, request, response):
-        """
-        Add X-XSS-Protection to the response header.
-        """
-        header = self.OPTIONS[self.option]
-        response["X-XSS-Protection"] = header
-        return response
-
-
 class ClearSiteDataMiddleware(BaseMiddleware):
     """
     Sends Clear-Site-Data HTTP response header on requests that match
@@ -318,52 +237,6 @@ def process_response(self, request, response):
         return response
 
 
-class ContentNoSniff(MiddlewareMixin):
-    """
-    DEPRECATED: Will be removed in future releases. Consider
-    django.middleware.security.SecurityMiddleware as a replacement for this via
-    SECURE_CONTENT_TYPE_NOSNIFF setting.
-
-    Sends X-Content-Options HTTP header to disable autodetection of MIME type
-    of files returned by the server in Microsoft Internet Explorer.
-    Specifically if this flag is enabled, MSIE will not load external CSS and
-    JavaScript files unless server correctly declares their MIME type. This
-    mitigates attacks where web page would for example load a script that was
-    disguised as an user- supplied image.
-
-    **Note:** As of 1.8, Django's `SECURE_CONTENT_TYPE_NOSNIFF
-    <https://docs.djangoproject.com/en/1.8/ref/settings/#secure-content-type-nosniff>`_
-    controls the X-Content-Type-Options header.
-
-    Reference:
-
-    - `MIME-Handling Change: X-Content-Type-Options: nosniff
-      <http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx>`_
-    """
-
-    def __init__(self, get_response=None):
-        super().__init__(get_response)
-        warnings.warn(
-            (
-                'DEPRECATED: The middleware "{name}" will no longer be '
-                "supported in future releases of this library. Refer to {url} for "
-                "an alternative approach with regards to the settings: {settings}"
-            ).format(
-                name=self.__class__.__name__,
-                url=DJANGO_SECURITY_MIDDLEWARE_URL,
-                settings="SECURE_CONTENT_TYPE_NOSNIFF",
-            ),
-            stacklevel=2,
-        )
-
-    def process_response(self, request, response):
-        """
-        Add ``X-Content-Options: nosniff`` to the response header.
-        """
-        response["X-Content-Options"] = "nosniff"
-        return response
-
-
 class MandatoryPasswordChangeMiddleware(BaseMiddleware):
     """
     Redirects any request from an authenticated user to the password change
@@ -937,138 +810,6 @@ def process_response(self, request, response):
         return response
 
 
-class StrictTransportSecurityMiddleware(MiddlewareMixin):
-    """
-    DEPRECATED: Will be removed in future releases. Consider
-    django.middleware.security.SecurityMiddleware as a replacement for this via
-    SECURE_HSTS_SECONDS, SECURE_HSTS_INCLUDE_SUBDOMAINS and
-    SECURE_HSTS_PRELOAD settings.
-
-    Adds Strict-Transport-Security header to HTTP
-    response that enforces SSL connections on compliant browsers. Two
-    parameters can be set in settings file, otherwise reasonable
-    defaults will be used:
-
-      - ``STS_MAX_AGE``               time in seconds to preserve host's STS
-        policy (default: 1 year)
-      - ``STS_INCLUDE_SUBDOMAINS``    True if subdomains should be covered by
-        the policy as well (default: True)
-      - ``STS_PRELOAD``               add ``preload`` flag to the STS header
-        so that your website can be added to preloaded websites list
-
-    **Note:** As of 1.8, Django's `SECURE_HSTS_SECONDS
-    <https://docs.djangoproject.com/en/1.8/ref/settings/#secure-hsts-seconds>`_
-    controls the HTTP Strict Transport Security header.
-
-    Reference:
-
-    - `HTTP Strict Transport Security (HSTS)
-     <https://datatracker.ietf.org/doc/rfc6797/>`_
-    - `Preloaded HSTS sites <http://www.chromium.org/sts>`_
-    """
-
-    def __init__(self, get_response=None):
-        warnings.warn(
-            (
-                'DEPRECATED: The middleware "{name}" will no longer be '
-                "supported in future releases of this library. Refer to {url} for "
-                "an alternative approach with regards to the settings: {settings}"
-            ).format(
-                name=self.__class__.__name__,
-                url=DJANGO_SECURITY_MIDDLEWARE_URL,
-                settings=", ".join(
-                    [
-                        "SECURE_HSTS_SECONDS",
-                        "SECURE_HSTS_INCLUDE_SUBDOMAINS",
-                        "SECURE_HSTS_PRELOAD",
-                    ]
-                ),
-            ),
-            stacklevel=2,
-        )
-
-        self.get_response = get_response
-
-        try:
-            self.max_age = django.conf.settings.STS_MAX_AGE
-        except AttributeError:
-            self.max_age = 3600 * 24 * 365  # one year
-
-        try:
-            self.subdomains = django.conf.settings.STS_INCLUDE_SUBDOMAINS
-        except AttributeError:
-            self.subdomains = True
-
-        try:
-            self.preload = django.conf.settings.STS_PRELOAD
-        except AttributeError:
-            self.preload = True
-
-        self.value = "max-age={0}".format(self.max_age)
-
-        if self.subdomains:
-            self.value += " ; includeSubDomains"
-
-        if self.preload:
-            self.value += " ; preload"
-
-    def process_response(self, request, response):
-        """
-        Add Strict-Transport-Security header.
-        """
-        response["Strict-Transport-Security"] = self.value
-        return response
-
-
-class P3PPolicyMiddleware(BaseMiddleware):
-    """
-    DEPRECATED: Will be removed in future releases.
-
-    Adds the HTTP header attribute specifying compact P3P policy
-    defined in P3P_COMPACT_POLICY setting and location of full
-    policy defined in P3P_POLICY_URL. If the latter is not defined,
-    a default value is used (/w3c/p3p.xml). The policy file needs to
-    be created by website owner.
-
-    **Note:** P3P work stopped in 2002 and the only popular
-    browser with **limited** P3P support is MSIE.
-
-    Reference:
-
-    - `The Platform for Privacy Preferences 1.0 (P3P1.0) Specification - The
-      Compact Policies <http://www.w3.org/TR/P3P/#compact_policies>`_
-    """
-
-    REQUIRED_SETTINGS = ("P3P_COMPACT_POLICY",)
-    OPTIONAL_SETTINGS = ("P3P_POLICY_URL",)
-
-    def __init__(self, get_response=None):
-        super().__init__(get_response)
-        warnings.warn(
-            (
-                'DEPRECATED: The middleware "{name}" will no longer be '
-                "supported in future releases of this library."
-            ).format(name=self.__class__.__name__),
-            stacklevel=2,
-        )
-
-    def load_setting(self, setting, value):
-        if setting == "P3P_COMPACT_POLICY":
-            self.policy = value
-        elif setting == "P3P_POLICY_URL":
-            self.policy_url = value or "/w3c/p3p.xml"
-
-    def process_response(self, request, response):
-        """
-        Add P3P policy to the response header.
-        """
-        response["P3P"] = 'policyref="{0}" CP="{1}"'.format(
-            self.policy_url,
-            self.policy,
-        )
-        return response
-
-
 class SessionExpiryPolicyMiddleware(CustomLogoutMixin, BaseMiddleware):
     """
     The session expiry middleware will let you expire sessions on

diff --git a/tests/settings.py b/tests/settings.py
@@ -42,11 +42,7 @@
     "security.middleware.SessionExpiryPolicyMiddleware",
     "security.middleware.LoginRequiredMiddleware",
     "security.middleware.XFrameOptionsMiddleware",
-    "security.middleware.ContentNoSniff",
     "security.middleware.ContentSecurityPolicyMiddleware",
-    "security.middleware.StrictTransportSecurityMiddleware",
-    "security.middleware.P3PPolicyMiddleware",
-    "security.middleware.XssProtectMiddleware",
     "security.middleware.MandatoryPasswordChangeMiddleware",
     "security.middleware.NoConfidentialCachingMiddleware",
     "security.auth_throttling.Middleware",
@@ -133,8 +129,6 @@
 X_FRAME_OPTIONS_EXCLUDE_URLS = (r"^/test\d/$",)
 CSP_STRING = "allow 'self'; script-src *.google.com"
 CSP_MODE = "enforce"
-P3P_POLICY_URL = "/w3c/p3p.xml"
-P3P_COMPACT_POLICY = "PRIVATE"
 
 LOGGING = {
     "version": 1,