blob: 5a3b55e43ea436b9d3f7542f11f3d288e239b292 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
class CspReportsController < ApplicationController
# Browsers POST application/csp-report with no CSRF token, no session.
skip_before_action :verify_authenticity_token
def create
request.body.rewind if request.body.respond_to?(:rewind)
raw = request.body.read(8192)
raw = request.raw_post if raw.blank?
report = (JSON.parse(raw)["csp-report"] rescue nil)
if report
directive = report["effective-directive"] || report["violated-directive"]
at = (URI.parse(report["document-uri"]).path rescue "unparsed")
CSP_LOGGER.warn("CSP violation: #{directive} blocked=#{report['blocked-uri']} at=#{at}")
else
CSP_LOGGER.warn("CSP violation: unparseable report (#{raw.to_s.bytesize} bytes)")
end
head :no_content
end
end
|