Nonce is not added in post_binding_form.html when django-csp is installed #430
Description
I'm working to get djangosaml2 working with a django-csp, which is a very nice integration. However, I've noticed that despite the code existing and having django-csp, the nonce isn't added with post_binding_form.html is rendered:
I think the issue is here:
Namely it does
{% if request.csp_nonce %} nonce="{{ request.csp_nonce }}"{% endif %}
Which is presumably not to include the nonce if django-csp is not installed. However, according to the django-csp docs (https://django-csp.readthedocs.io/en/latest/nonce.html)
It is always safe to test request.csp_nonce, such as bool(request.csp_nonce) or in a conditional like if request.csp_nonce: .... This will return True if the nonce was accessed and generated, and False if not acccesed or generated yet.
So this only adds a nonce if something else has accessed a nonce -- which seems unlikely unless you add specific middleware to do so.
I suspect this check was supposed to check if django-csp was installed, not if a nonce had been accessed in a different part of the code (unless I'm misreading).
There's an easy enough work around to override post_binding_form.html and just remove the check.
I would add a fix but I'm not exactly sure where the best place to check if django-csp exists is.