From c5333bc279ac448195a33c8f0a8cc0c92d8c7d78 Mon Sep 17 00:00:00 2001
From: Mike Taylor <miket@mozilla.com>
Date: Mon, 27 Feb 2017 17:49:12 -0600
Subject: [PATCH] Issue #1329. Add a Content-Security-Policy-Report-Only
 header.

This allows xhr, fonts, images, scripts, css from webcompat.com (or localhost).
It also allows script from google-analytics.com. Let's leave it on for a week or
so and see what we need to tweak before enabling the policy (and where to file bugs
to improve security).
---
 webcompat/views.py | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/webcompat/views.py b/webcompat/views.py
index 1a06a61ab..6e49d262b 100644
--- a/webcompat/views.py
+++ b/webcompat/views.py
@@ -57,6 +57,15 @@ def after_request(response):
     response.headers['X-Content-Type-Options'] = 'nosniff'
     response.headers['X-XSS-Protection'] = '1; mode=block'
     response.headers['X-Frame-Options'] = 'DENY'
+    response.headers['Content-Security-Policy-Report-Only'] = (
+        "default-src 'none'; " +
+        "connect-src 'self'; " +
+        "font-src 'self'; " +
+        "img-src 'self'; " +
+        "script-src 'self' https://www.google-analytics.com; " +
+        "style-src 'self'; " +
+        "report-uri /csp-report"
+    )
     return response