2018-10-22 13:22:23 -04:00
|
|
|
# frozen_string_literal: true
|
|
|
|
class CspReportsController < ApplicationController
|
|
|
|
skip_before_action :check_xhr, :preload_json, :verify_authenticity_token, only: [:create]
|
|
|
|
|
|
|
|
def create
|
|
|
|
raise Discourse::NotFound unless report_collection_enabled?
|
|
|
|
|
|
|
|
Logster.add_to_env(request.env, 'CSP Report', report)
|
2020-04-02 11:16:38 -04:00
|
|
|
Rails.logger.warn("CSP Violation: '#{report['blocked-uri']}' \n\n#{report['script-sample']}")
|
2018-10-22 13:22:23 -04:00
|
|
|
|
|
|
|
head :ok
|
|
|
|
end
|
|
|
|
|
|
|
|
private
|
|
|
|
|
|
|
|
def report
|
|
|
|
@report ||= JSON.parse(request.body.read)['csp-report'].slice(
|
|
|
|
'blocked-uri',
|
|
|
|
'disposition',
|
|
|
|
'document-uri',
|
|
|
|
'effective-directive',
|
|
|
|
'original-policy',
|
|
|
|
'referrer',
|
|
|
|
'script-sample',
|
|
|
|
'status-code',
|
|
|
|
'violated-directive',
|
|
|
|
'line-number',
|
|
|
|
'source-file'
|
|
|
|
)
|
|
|
|
end
|
|
|
|
|
|
|
|
def report_collection_enabled?
|
2018-11-14 16:23:29 -05:00
|
|
|
SiteSetting.content_security_policy_collect_reports
|
2018-10-22 13:22:23 -04:00
|
|
|
end
|
|
|
|
end
|