DEV: Only include "report-sample" CSP directive when reporting is enabled (#9337)

DEV: Only include “report-sample” CSP directive when reporting is enabled (#9337)

diff --git a/app/controllers/csp_reports_controller.rb b/app/controllers/csp_reports_controller.rb
index b0b1091..30824e3 100644
--- a/app/controllers/csp_reports_controller.rb
+++ b/app/controllers/csp_reports_controller.rb
@@ -6,7 +6,7 @@ class CspReportsController < ApplicationController
     raise Discourse::NotFound unless report_collection_enabled?
 
     Logster.add_to_env(request.env, 'CSP Report', report)
-    Rails.logger.warn("CSP Violation: '#{report['blocked-uri']}'")
+    Rails.logger.warn("CSP Violation: '#{report['blocked-uri']}' \n\n#{report['script-sample']}")
 
     head :ok
   end
diff --git a/lib/content_security_policy/default.rb b/lib/content_security_policy/default.rb
index d2f92f2..78ca564 100644
--- a/lib/content_security_policy/default.rb
+++ b/lib/content_security_policy/default.rb
@@ -48,12 +48,12 @@ class ContentSecurityPolicy
 
     def script_src
       [
-        :report_sample,
         "#{base_url}/logs/",
         "#{base_url}/sidekiq/",
         "#{base_url}/mini-profiler-resources/",
         *script_assets
       ].tap do |sources|
+        sources << :report_sample if SiteSetting.content_security_policy_collect_reports
         sources << :unsafe_eval if Rails.env.development? # TODO remove this once we have proper source maps in dev
         sources << 'https://www.google-analytics.com/analytics.js' if SiteSetting.ga_universal_tracking_code.present?
         sources << 'https://www.googletagmanager.com/gtm.js' if SiteSetting.gtm_container_id.present?
diff --git a/spec/lib/content_security_policy_spec.rb b/spec/lib/content_security_policy_spec.rb
index fcbf5ec..68a5dc2 100644
--- a/spec/lib/content_security_policy_spec.rb
+++ b/spec/lib/content_security_policy_spec.rb
@@ -46,7 +46,6 @@ describe ContentSecurityPolicy do
     it 'always has self, logster, sidekiq, and assets' do
       script_srcs = parse(policy)['script-src']
       expect(script_srcs).to include(*%w[
-        'report-sample'
         http://test.localhost/logs/
         http://test.localhost/sidekiq/
         http://test.localhost/mini-profiler-resources/
@@ -61,6 +60,12 @@ describe ContentSecurityPolicy do
       ])
     end
 
+    it 'includes "report-sample" when report collection is enabled' do
+      SiteSetting.content_security_policy_collect_reports = true
+      script_srcs = parse(policy)['script-src']
+      expect(script_srcs).to include("'report-sample'")
+    end
+
     it 'whitelists Google Analytics and Tag Manager when integrated' do
       SiteSetting.ga_universal_tracking_code = 'UA-12345678-9'
       SiteSetting.gtm_container_id = 'GTM-ABCDEF'
diff --git a/spec/requests/csp_reports_controller_spec.rb b/spec/requests/csp_reports_controller_spec.rb
index 2c3bfe5..07e8aea 100644
--- a/spec/requests/csp_reports_controller_spec.rb
+++ b/spec/requests/csp_reports_controller_spec.rb
@@ -29,7 +29,7 @@ describe CspReportsController do
           "line-number": 25,
           "source-file": "http://localhost:3000/",
           "status-code": 200,
-          "script-sample": ""
+          "script-sample": "console.log('unsafe')"
         }
       }.to_json, headers: { "Content-Type": "application/csp-report" }
     end
@@ -52,7 +52,7 @@ describe CspReportsController do
 
     it 'logs the violation report' do
       send_report
-      expect(Rails.logger.warnings).to include("CSP Violation: 'http://suspicio.us/assets.js'")
+      expect(Rails.logger.warnings).to include("CSP Violation: 'http://suspicio.us/assets.js' \n\nconsole.log('unsafe')")
     end
   end
 end

GitHub sha: 724d2e99

This commit appears in #9337 which was approved by eviltrout. It was merged by pmusaraj.