From 488109ad410e8b9e5491ea10a18e1b81db8f039a Mon Sep 17 00:00:00 2001
From: Conor Holden <conor@maykinmedia.nl>
Date: Tue, 20 Aug 2024 10:32:32 +0200
Subject: [PATCH] :wrench:[#42] add CSP setting help texts

---
 open_api_framework/conf/base.py | 30 ++++++++++++++++++++++++++----
 1 file changed, 26 insertions(+), 4 deletions(-)

diff --git a/open_api_framework/conf/base.py b/open_api_framework/conf/base.py
index 0d45134..b5382f0 100644
--- a/open_api_framework/conf/base.py
+++ b/open_api_framework/conf/base.py
@@ -950,7 +950,13 @@ def init_sentry(before_send: Callable | None = None):
 # ideally we'd use BASE_URI but it'd have to be lazy or cause issues
 CSP_DEFAULT_SRC = [
     "'self'",
-] + config("CSP_EXTRA_DEFAULT_SRC", default=[], split=True)
+] + config(
+    "CSP_EXTRA_DEFAULT_SRC",
+    default=[],
+    split=True,
+    help_text="Extra default source URLs for CSP other than ``self``. "
+    "Used for ``img-src``, ``style-src`` and ``script-src``",
+)
 
 CSP_REPORT_PERCENTAGE = config("CSP_REPORT_PERCENTAGE", 1.0)  # float between 0 and 1
 
@@ -958,17 +964,33 @@ def init_sentry(before_send: Callable | None = None):
     config(
         "CSP_FORM_ACTION",
         default=["\"'self'\""]
-        + config("CSP_EXTRA_FORM_ACTION", default=[], split=True),
+        + config(
+            "CSP_EXTRA_FORM_ACTION",
+            default=[],
+            split=True,
+            help_text="Add additional ``form-action`` source to the default ",
+        ),
         split=True,
+        help_text="Override the default ``form-action`` source",
     )
     + CORS_ALLOWED_ORIGINS
 )
 
-CSP_IMG_SRC = CSP_DEFAULT_SRC + config("CSP_EXTRA_IMG_SRC", default=[], split=True)
+CSP_IMG_SRC = CSP_DEFAULT_SRC + config(
+    "CSP_EXTRA_IMG_SRC",
+    default=[],
+    split=True,
+    help_text="Extra ``img-src`` sources for CSP other than ``CSP_DEFAULT_SRC``.",
+)
 
 # affects <object> and <embed> tags, block everything by default but allow deploy-time
 # overrides.
-CSP_OBJECT_SRC = config("CSP_OBJECT_SRC", default=["\"'none'\""], split=True)
+CSP_OBJECT_SRC = config(
+    "CSP_OBJECT_SRC",
+    default=["\"'none'\""],
+    split=True,
+    help_text="``object-src`` urls",
+)
 
 # we must include this explicitly, otherwise the style-src only includes the nonce because
 # of CSP_INCLUDE_NONCE_IN