discourse/app/controllers/csp_reports_controller.rb

# frozen_string_literal: true
class CspReportsController < ApplicationController
  skip_before_action :check_xhr, :preload_json, :verify_authenticity_token, only: [:create]

  def create
    raise Discourse::NotFound unless report_collection_enabled?

    Logster.add_to_env(request.env, 'CSP Report', report)
    Rails.logger.warn("CSP Violation: '#{report['blocked-uri']}'")

    head :ok
  end

  private

  def report
    @report ||= JSON.parse(request.body.read)['csp-report'].slice(
      'blocked-uri',
      'disposition',
      'document-uri',
      'effective-directive',
      'original-policy',
      'referrer',
      'script-sample',
      'status-code',
      'violated-directive',
      'line-number',
      'source-file'
    )
  end

  def report_collection_enabled?
    ContentSecurityPolicy.enabled? && SiteSetting.content_security_policy_collect_reports
  end
end
FEATURE: [Experimental] Content Security Policy (#6514) do not register new MIME type, parse raw body instead 2018-10-22 12:22:23 -05:00			`# frozen_string_literal: true`
			`class CspReportsController < ApplicationController`
			`skip_before_action :check_xhr, :preload_json, :verify_authenticity_token, only: [:create]`

			`def create`
			`raise Discourse::NotFound unless report_collection_enabled?`

			`Logster.add_to_env(request.env, 'CSP Report', report)`
			`Rails.logger.warn("CSP Violation: '#{report['blocked-uri']}'")`

			`head :ok`
			`end`

			`private`

			`def report`
			`@report \|\|= JSON.parse(request.body.read)['csp-report'].slice(`
			`'blocked-uri',`
			`'disposition',`
			`'document-uri',`
			`'effective-directive',`
			`'original-policy',`
			`'referrer',`
			`'script-sample',`
			`'status-code',`
			`'violated-directive',`
			`'line-number',`
			`'source-file'`
			`)`
			`end`

			`def report_collection_enabled?`
			`ContentSecurityPolicy.enabled? && SiteSetting.content_security_policy_collect_reports`
			`end`
			`end`