From 48b75b9036d9338ffaa2ca495f7f713792206ac1 Mon Sep 17 00:00:00 2001 From: Tim Schilling Date: Tue, 12 Jul 2022 09:36:51 -0500 Subject: [PATCH 1/3] Check if djdt-store-id is in all headers before usage. Chromium throws an uncatchable warning when a header that can't be accessed is used. While it's not problematic, it's worrisome to developers. This avoids that by first checking that it exists. Fixes #1647 --- debug_toolbar/static/debug_toolbar/js/toolbar.js | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/debug_toolbar/static/debug_toolbar/js/toolbar.js b/debug_toolbar/static/debug_toolbar/js/toolbar.js index 860c72110..1c06be7fa 100644 --- a/debug_toolbar/static/debug_toolbar/js/toolbar.js +++ b/debug_toolbar/static/debug_toolbar/js/toolbar.js @@ -264,8 +264,13 @@ const djdt = { const origOpen = XMLHttpRequest.prototype.open; XMLHttpRequest.prototype.open = function () { this.addEventListener("load", function () { - let store_id = this.getResponseHeader("djdt-store-id"); - if (store_id !== null) { + // Chromium emits a "Refused to get unsafe header" uncatchable warning + // when the header can't be fetched. While it doesn't impede execution + // it's worrisome to developers. + if ( + this.getAllResponseHeaders().indexOf("djdt-store-id") >= 0 + ) { + let store_id = this.getResponseHeader("djdt-store-id"); store_id = encodeURIComponent(store_id); const dest = `${sidebar_url}?store_id=${store_id}`; slowjax(dest).then(function (data) { From 1b0d50d22c4f62e0f0fc23086776578e0ab0bbdb Mon Sep 17 00:00:00 2001 From: Tim Schilling Date: Tue, 12 Jul 2022 09:37:40 -0500 Subject: [PATCH 2/3] Change header to djdt-store-id. Includes some tests to validate the HistoryPanel.get_headers method. --- debug_toolbar/panels/history/panel.py | 2 +- tests/panels/test_history.py | 14 ++++++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/debug_toolbar/panels/history/panel.py b/debug_toolbar/panels/history/panel.py index 596bcfb4a..2e637083a 100644 --- a/debug_toolbar/panels/history/panel.py +++ b/debug_toolbar/panels/history/panel.py @@ -24,7 +24,7 @@ def get_headers(self, request): observe_request = self.toolbar.get_observe_request() store_id = getattr(self.toolbar, "store_id") if store_id and observe_request(request): - headers["DJDT-STORE-ID"] = store_id + headers["djdt-store-id"] = store_id return headers @property diff --git a/tests/panels/test_history.py b/tests/panels/test_history.py index 9f1457049..326fb55b6 100644 --- a/tests/panels/test_history.py +++ b/tests/panels/test_history.py @@ -99,6 +99,20 @@ def test_history_sidebar_invalid(self): response = self.client.get(reverse("djdt:history_sidebar")) self.assertEqual(response.status_code, 400) + def test_history_headers(self): + """Validate the headers injected from the history panel.""" + response = self.client.get("/json_view/") + store_id = list(DebugToolbar._store)[0] + self.assertEqual(response.headers["djdt-store-id"], store_id) + + @override_settings( + DEBUG_TOOLBAR_CONFIG={"OBSERVE_REQUEST_CALLBACK": lambda request: False} + ) + def test_history_headers_unobserved(self): + """Validate the headers aren't injected from the history panel.""" + response = self.client.get("/json_view/") + self.assertNotIn("djdt-store-id", response.headers) + def test_history_sidebar(self): """Validate the history sidebar view.""" self.client.get("/json_view/") From e0417ef7161441d7e5faa81760f994f64ece88b5 Mon Sep 17 00:00:00 2001 From: Tim Schilling Date: Tue, 12 Jul 2022 09:38:14 -0500 Subject: [PATCH 3/3] Correct OBSERVE_REQUEST_CALLBACK default value in docs. --- docs/configuration.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuration.rst b/docs/configuration.rst index 7577be62d..6f4084ad5 100644 --- a/docs/configuration.rst +++ b/docs/configuration.rst @@ -142,7 +142,7 @@ Toolbar options * ``OBSERVE_REQUEST_CALLBACK`` - Default: ``'debug_toolbar.middleware.observe_request'`` + Default: ``'debug_toolbar.toolbar.observe_request'`` This is the dotted path to a function used for determining whether the toolbar should update on AJAX requests or not. The default checks are that