diff options
Diffstat (limited to 'app/controllers/csp_reports_controller.rb')
| -rw-r--r-- | app/controllers/csp_reports_controller.rb | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/app/controllers/csp_reports_controller.rb b/app/controllers/csp_reports_controller.rb new file mode 100644 index 0000000..5a3b55e --- /dev/null +++ b/app/controllers/csp_reports_controller.rb | |||
| @@ -0,0 +1,22 @@ | |||
| 1 | class CspReportsController < ApplicationController | ||
| 2 | # Browsers POST application/csp-report with no CSRF token, no session. | ||
| 3 | skip_before_action :verify_authenticity_token | ||
| 4 | |||
| 5 | def create | ||
| 6 | request.body.rewind if request.body.respond_to?(:rewind) | ||
| 7 | raw = request.body.read(8192) | ||
| 8 | raw = request.raw_post if raw.blank? | ||
| 9 | |||
| 10 | report = (JSON.parse(raw)["csp-report"] rescue nil) | ||
| 11 | |||
| 12 | if report | ||
| 13 | directive = report["effective-directive"] || report["violated-directive"] | ||
| 14 | at = (URI.parse(report["document-uri"]).path rescue "unparsed") | ||
| 15 | CSP_LOGGER.warn("CSP violation: #{directive} blocked=#{report['blocked-uri']} at=#{at}") | ||
| 16 | else | ||
| 17 | CSP_LOGGER.warn("CSP violation: unparseable report (#{raw.to_s.bytesize} bytes)") | ||
| 18 | end | ||
| 19 | |||
| 20 | head :no_content | ||
| 21 | end | ||
| 22 | end | ||
