| 
									
										
										
										
											2018-10-22 13:22:23 -04:00
										 |  |  | # frozen_string_literal: true | 
					
						
							|  |  |  | class CspReportsController < ApplicationController | 
					
						
							|  |  |  |   skip_before_action :check_xhr, :preload_json, :verify_authenticity_token, only: [:create] | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   def create | 
					
						
							|  |  |  |     raise Discourse::NotFound unless report_collection_enabled? | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     Logster.add_to_env(request.env, 'CSP Report', report) | 
					
						
							| 
									
										
										
										
											2020-04-02 11:16:38 -04:00
										 |  |  |     Rails.logger.warn("CSP Violation: '#{report['blocked-uri']}' \n\n#{report['script-sample']}") | 
					
						
							| 
									
										
										
										
											2018-10-22 13:22:23 -04:00
										 |  |  | 
 | 
					
						
							|  |  |  |     head :ok | 
					
						
							|  |  |  |   end | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   private | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   def report | 
					
						
							|  |  |  |     @report ||= JSON.parse(request.body.read)['csp-report'].slice( | 
					
						
							|  |  |  |       'blocked-uri', | 
					
						
							|  |  |  |       'disposition', | 
					
						
							|  |  |  |       'document-uri', | 
					
						
							|  |  |  |       'effective-directive', | 
					
						
							|  |  |  |       'original-policy', | 
					
						
							|  |  |  |       'referrer', | 
					
						
							|  |  |  |       'script-sample', | 
					
						
							|  |  |  |       'status-code', | 
					
						
							|  |  |  |       'violated-directive', | 
					
						
							|  |  |  |       'line-number', | 
					
						
							|  |  |  |       'source-file' | 
					
						
							|  |  |  |     ) | 
					
						
							|  |  |  |   end | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   def report_collection_enabled? | 
					
						
							| 
									
										
										
										
											2018-11-14 21:23:29 +00:00
										 |  |  |     SiteSetting.content_security_policy_collect_reports | 
					
						
							| 
									
										
										
										
											2018-10-22 13:22:23 -04:00
										 |  |  |   end | 
					
						
							|  |  |  | end |