build(deps): update django-csp requirement from ~=3.8 to ~=4.0 in the django-extensions group

[dependabot]

Updates the requirements on django-csp to permit the latest version.
Updates django-csp to 4.0

Release notes

Sourced from django-csp's releases.

v4.0

This release contains several breaking changes. For a complete migration guide, see: https://django-csp.readthedocs.io/en/latest/migration-guide.html

Breaking Changes

• Configuration Format: Moved to dict-based configuration which allows for setting policies for both enforced and report-only. Instead of using individual settings with CSP_ prefixes, you now use dictionaries called CONTENT_SECURITY_POLICY and/or CONTENT_SECURITY_POLICY_REPORT_ONLY. (#219)

  You can use Django's check command to automatically identify existing CSP settings and generate a template for the new configuration format:

  python manage.py check
  

  This will detect your old CSP_ prefixed settings and output a draft of the new dict-based configuration, giving you a starting point for migration.

  Example:

  Change from:

  CSP_DEFAULT_SRC = ["'self'", "*.example.com"]
  CSP_SCRIPT_SRC = ["'self'", "js.cdn.com/example/"]
  CSP_IMG_SRC = ["'self'", "data:", "example.com"]
  CSP_EXCLUDE_URL_PREFIXES = ["/admin"]

  to:

  from csp.constants import SELF
  CONTENT_SECURITY_POLICY = {
  "DIRECTIVES": {
  "default-src": [SELF, "*.example.com"],
  "script-src": [SELF, "js.cdn.com/example/"],
  "img-src": [SELF, "data:", "example.com"],
  },
  "EXCLUDE_URL_PREFIXES": ["/admin"],
  }

• Nonce Configuration: Switched from specifying directives that should contain nonces as a separate list to using a sentinel NONCE value in the directive itself. (#223)

  Example:

... (truncated)

Changelog

Sourced from django-csp's changelog.

4.0

This release contains several breaking changes. For a complete migration guide, see: https://django-csp.readthedocs.io/en/latest/migration-guide.html

Breaking Changes

• Configuration Format: Moved to dict-based configuration which allows for setting policies for both enforced and report-only. Instead of using individual settings with CSP_ prefixes, you now use dictionaries called CONTENT_SECURITY_POLICY and/or CONTENT_SECURITY_POLICY_REPORT_ONLY. (#219)

  You can use Django's check command to automatically identify existing CSP settings and generate a template for the new configuration format:

  python manage.py check
  

  This will detect your old CSP_ prefixed settings and output a draft of the new dict-based configuration, giving you a starting point for migration.

  Example:

  Change from:

  CSP_DEFAULT_SRC = ["'self'", "*.example.com"]
  CSP_SCRIPT_SRC = ["'self'", "js.cdn.com/example/"]
  CSP_IMG_SRC = ["'self'", "data:", "example.com"]
  CSP_EXCLUDE_URL_PREFIXES = ["/admin"]

  to:

  from csp.constants import SELF
  CONTENT_SECURITY_POLICY = {
  "DIRECTIVES": {
  "default-src": [SELF, "*.example.com"],
  "script-src": [SELF, "js.cdn.com/example/"],
  "img-src": [SELF, "data:", "example.com"],
  },
  "EXCLUDE_URL_PREFIXES": ["/admin"],
  }

• Nonce Configuration: Switched from specifying directives that should contain nonces as a separate list to using a sentinel NONCE value in the directive itself. (#223)

... (truncated)

Commits

• 6d5cc6c Prep for 4.0 release
• 9d06e25 docs: Update configuration exclude info
• d6bff9f Prep for 4.0b7 release
• 395d928 Remove CSPMiddlewareAlwaysGenerateNonce
• 4054a7b Prepare for 4.0b6 release
• 3553412 Fix CSPMiddlewareAlwaysGenerateNonce
• 970be26 Prep for django-csp==4.0b5
• 834e628 Reformat with pyproject-fmt
• 580c1fc Upgrade ReadTheDocs environment
• 40c89d4 Expand tests for nonce usage in templates
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions