Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add CSP report endpoint #1329

Closed
miketaylr opened this issue Feb 3, 2017 · 3 comments
Closed

Add CSP report endpoint #1329

miketaylr opened this issue Feb 3, 2017 · 3 comments
Assignees
@miketaylr
Labels
type: security

Comments

@miketaylr
Copy link
Member

A place that accepts a CSP report and logs the input to disk. Blocks #763
@miketaylr miketaylr self-assigned this Feb 3, 2017
@miketaylr miketaylr mentioned this issue Feb 3, 2017
Closed
@denschub
Copy link
Member

denschub commented Feb 7, 2017

If you don't want to build this into the application, I've written a small daemon to collect CSP violation reports and dump them into a SQLite database for a project a while ago. Just pushed the sources to denschub/csp_violation_reports_collector, feel free to ping me if you need help! (Or, FWIW, feel free to not use it at all.)

@miketaylr
Copy link
Member Author

Thank you @denschub!

@miketaylr
Copy link
Member Author

I think I'm gonna do the quick and dirty write-to-a-logfile thing in the current app, mostly because it's simpler than figuring out how to host node apps. 🙈

I think medium-term @denschub's solution is nicer though!

miketaylr pushed a commit that referenced this issue Feb 27, 2017
Issue #1329. Add a /csp-report endpoint for simple logging of violati…
ffd75dc 
…ons.
miketaylr pushed a commit that referenced this issue Feb 27, 2017
Issue #1329. Add a Content-Security-Policy-Report-Only header.
c5333bc 
This allows xhr, fonts, images, scripts, css from webcompat.com (or localhost).
It also allows script from google-analytics.com. Let's leave it on for a week or
so and see what we need to tweak before enabling the policy (and where to file bugs
to improve security).
miketaylr pushed a commit that referenced this issue Feb 28, 2017
Issue #1329. Add a /csp-report endpoint for simple logging of violati…
cece38a 
…ons.
miketaylr pushed a commit that referenced this issue Feb 28, 2017
Issue #1329. Add a Content-Security-Policy-Report-Only header.
56c72d2 
This allows xhr, fonts, images, scripts, css from webcompat.com (or localhost).
It also allows script from google-analytics.com. Let's leave it on for a week or
so and see what we need to tweak before enabling the policy (and where to file bugs
to improve security).
miketaylr pushed a commit that referenced this issue Feb 28, 2017
Issue #1329. Add URL tests for new report endpoint.
7539333
miketaylr pushed a commit that referenced this issue Feb 28, 2017
Issue #1329. Add a /csp-report endpoint for simple logging of violati…
2e347d1 
…ons.
miketaylr pushed a commit that referenced this issue Feb 28, 2017
Issue #1329. Add a Content-Security-Policy-Report-Only header.
b727f7d 
This allows xhr, fonts, images, scripts, css from webcompat.com (or localhost).
It also allows script from google-analytics.com. Let's leave it on for a week or
so and see what we need to tweak before enabling the policy (and where to file bugs
to improve security).
miketaylr pushed a commit that referenced this issue Feb 28, 2017
Issue #1329. Add URL tests for new report endpoint.
1476981
miketaylr pushed a commit that referenced this issue Feb 28, 2017
Issue #1329. Add a /csp-report endpoint for simple logging of violati…
b6e7456 
…ons.
miketaylr pushed a commit that referenced this issue Feb 28, 2017
Issue #1329. Add a Content-Security-Policy-Report-Only header.
a74fbb7 
This allows xhr, fonts, images, scripts, css from webcompat.com (or localhost).
It also allows script from google-analytics.com. Let's leave it on for a week or
so and see what we need to tweak before enabling the policy (and where to file bugs
to improve security).
miketaylr pushed a commit that referenced this issue Feb 28, 2017
Issue #1329. Add URL tests for new report endpoint.
6097758
miketaylr pushed a commit that referenced this issue Mar 1, 2017
Issue #1329. Add ability to disable CSP logging via config.
c8065f7
@karlcow karlcow closed this as completed in f5a9ec6 Mar 2, 2017
miketaylr pushed a commit that referenced this issue Mar 2, 2017
Issue #1329. Fix invalid STS header syntax (missing semicolon). r=me
33501f8
jeanhl pushed a commit to jeanhl/webcompat.com that referenced this issue Mar 10, 2017
@jeanhl
Issue webcompat#1329. Add a /csp-report endpoint for simple logging o…
ca7f87f 
…f violations.
jeanhl pushed a commit to jeanhl/webcompat.com that referenced this issue Mar 10, 2017
@jeanhl
Issue webcompat#1329. Add a Content-Security-Policy-Report-Only header.
ddb7a58 
This allows xhr, fonts, images, scripts, css from webcompat.com (or localhost).
It also allows script from google-analytics.com. Let's leave it on for a week or
so and see what we need to tweak before enabling the policy (and where to file bugs
to improve security).
jeanhl pushed a commit to jeanhl/webcompat.com that referenced this issue Mar 10, 2017
@jeanhl
Issue webcompat#1329. Add URL tests for new report endpoint.
9cf92bd
jeanhl pushed a commit to jeanhl/webcompat.com that referenced this issue Mar 10, 2017
@jeanhl
Issue webcompat#1329. Add ability to disable CSP logging via config.
b0f9089
jeanhl pushed a commit to jeanhl/webcompat.com that referenced this issue Mar 10, 2017
@jeanhl
Issue webcompat#1329. Fix invalid STS header syntax (missing semicolo…
cd5ab98 
…n). r=me
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@miketaylr miketaylr

Labels
type: security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@miketaylr @denschub @karlcow