Add Reporting API (#3414)

* Add Report-To header

* Linting

* More linting

* More CSP updates

Author: tunetheweb

src/server/__init__.py

@@ -13,7 +13,7 @@
     get_versioned_filename,
 )
 from .config import TEMPLATES_DIR, STATIC_DIR
-from . import csp, feature_policy
+from . import csp, feature_policy, report_api
 import logging
 
 
@@ -53,6 +53,8 @@ def add_header(response):
         if response.status_code == 200 or response.status_code == 304:
             response.cache_control.public = True
             response.cache_control.max_age = 600
+    # Add Report API header
+    response.headers["Report-To"] = report_api.report_to
     return response
 
 

src/server/csp.py

@@ -4,7 +4,7 @@
     "script-src": [
         "'self'",
         "'strict-dynamic'",
-        "www.google-analytics.com",
+        "*.google-analytics.com",
         "www.googletagmanager.com",
         "'unsafe-inline'",
     ],
@@ -14,7 +14,6 @@
         "webmention.io",
         "discuss.httparchive.org",
         "*.google-analytics.com",
-        "www.google-analytics.com",
         "www.googletagmanager.com",
     ],
     "img-src": ["'self'", "https:", "data:"],

src/server/embeds_csp.py

@@ -4,7 +4,7 @@
     "script-src": [
         "'self'",
         "'strict-dynamic'",
-        "www.google-analytics.com",
+        "*.google-analytics.com",
         "www.googletagmanager.com",
         "'unsafe-inline'",
     ],
@@ -13,7 +13,7 @@
         "'self'",
         "webmention.io",
         "discuss.httparchive.org",
-        "www.google-analytics.com",
+        "*.google-analytics.com",
         "www.googletagmanager.com",
     ],
     "img-src": ["'self'", "https:", "data:"],

src/server/report_api.py

@@ -0,0 +1,18 @@
+# Because of the "true" value we can't use a Python object
+# and have to use actual JSON
+report_to = """
+{
+    "group": "default",
+    "max_age": 31536000,
+    "endpoints": [
+        {
+            "url": "https://httparchive.report-uri.com/a/d/g"
+        }
+    ],
+    "include_subdomains": true
+}
+""".replace(
+    "\n", ""
+).replace(
+    " ", ""
+)

src/server/search_csp.py

@@ -4,14 +4,14 @@
     "script-src": [
         "'self'",
         "'strict-dynamic'",
-        "www.google-analytics.com",
+        "*.google-analytics.com",
         "www.googletagmanager.com",
         "cse.google.com",
         "'unsafe-inline'",
         "'unsafe-eval'",
     ],
     "font-src": ["'self'"],
-    "connect-src": ["'self'", "www.google-analytics.com", "www.googletagmanager.com"],
+    "connect-src": ["'self'", "*.google-analytics.com", "www.googletagmanager.com"],
     "img-src": [
         "'self'",
         "*.google-analytics.com",

src/server/stories_csp.py

@@ -4,7 +4,7 @@
     "script-src": [
         "'self'",
         "cdn.ampproject.org",
-        "www.google-analytics.com",
+        "*.google-analytics.com",
         "www.googletagmanager.com",
     ],
     "font-src": ["'self'", "fonts.gstatic.com"],

src/server/tests/routes_test.py

@@ -254,3 +254,8 @@ def test_test_webvitals_js_versioned(client):
 def test_embed(client):
     response = client.get("/en/2022/embeds/structured-data-sankey")
     assert response.status_code == 200
+
+
+def test_report_to_header(client):
+    response = client.get("/en/2022/")
+    assert response.headers["Report-To"].startswith("{")