Add config option for report URI in CSP

SISheogorath · SISheogorath · commit efa490a50f58 · 2018-03-14T17:57:41.000+01:00
This option is needed as it's currently not possible to add an report
URI by the directives array. This option also allows to get CSP reports
not only on docker based setup but also on our heroku instances.

Signed-off-by: Sheogorath &lt;sheogorath@shivering-isles.com&gt;
diff --git a/README.md b/README.md
@@ -207,6 +207,7 @@ There are some config settings you need to change in the files below.
 | `HMD_HSTS_MAX_AGE` | `31536000` | max duration in seconds to tell clients to keep HSTS status (default is a year) |
 | `HMD_HSTS_PRELOAD` | `true` | whether to allow preloading of the site's HSTS status (e.g. into browsers) |
 | `HMD_CSP_ENABLE` | `true` | whether to enable Content Security Policy (directives cannot be configured with environment variables) |
+| `HMD_CSP_REPORTURI` | `https://<someid>.report-uri.com/r/d/csp/enforce` | Allows to add a URL for CSP reports in case of violations |
 
 ## Application settings `config.json`
 
diff --git a/lib/config/default.js b/lib/config/default.js
@@ -18,7 +18,8 @@ module.exports = {
     directives: {
     },
     addDefaults: true,
-    upgradeInsecureRequests: 'auto'
+    upgradeInsecureRequests: 'auto',
+    reportURI: undefined
   },
   protocolusessl: false,
   usecdn: true,
diff --git a/lib/config/environment.js b/lib/config/environment.js
@@ -15,7 +15,8 @@ module.exports = {
     preload: toBooleanConfig(process.env.HMD_HSTS_PRELOAD)
   },
   csp: {
-    enable: toBooleanConfig(process.env.HMD_CSP_ENABLE)
+    enable: toBooleanConfig(process.env.HMD_CSP_ENABLE),
+    reportURI: process.env.HMD_CSP_REPORTURI
   },
   protocolusessl: toBooleanConfig(process.env.HMD_PROTOCOL_USESSL),
   alloworigin: toArrayConfig(process.env.HMD_ALLOW_ORIGIN),
diff --git a/lib/csp.js b/lib/csp.js
@@ -30,6 +30,7 @@ CspStrategy.computeDirectives = function () {
     addInlineScriptExceptions(directives)
   }
   addUpgradeUnsafeRequestsOptionTo(directives)
+  addReportURI(directives)
   return directives
 }
 
@@ -72,6 +73,12 @@ function addUpgradeUnsafeRequestsOptionTo (directives) {
   }
 }
 
+function addReportURI (directives) {
+  if (config.csp.reportURI) {
+    directives.reportUri = config.csp.reportURI
+  }
+}
+
 CspStrategy.addNonceToLocals = function (req, res, next) {
   res.locals.nonce = uuid.v4()
   next()

Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,7 @@ CspStrategy.computeDirectives = function () {`
`30`	`30`	`addInlineScriptExceptions(directives)`
`31`	`31`	`}`
`32`	`32`	`addUpgradeUnsafeRequestsOptionTo(directives)`
	`33`	`+ addReportURI(directives)`
`33`	`34`	`return directives`
`34`	`35`	`}`
`35`	`36`
`@@ -72,6 +73,12 @@ function addUpgradeUnsafeRequestsOptionTo (directives) {`
`72`	`73`	`}`
`73`	`74`	`}`
`74`	`75`
	`76`	`+function addReportURI (directives) {`
	`77`	`+ if (config.csp.reportURI) {`
	`78`	`+ directives.reportUri = config.csp.reportURI`
	`79`	`+ }`
	`80`	`+}`
	`81`	`+`
`75`	`82`	`CspStrategy.addNonceToLocals = function (req, res, next) {`
`76`	`83`	`res.locals.nonce = uuid.v4()`
`77`	`84`	`next()`