CSP: Add reporting endpoint

src/pretix/base/middleware.py

@@ -192,6 +192,7 @@ class SecurityMiddleware(MiddlewareMixin):
             # single-sign-on this can be nearly anything so we cannot really restrict
             # this. However, we'll restrict it to HTTPS.
             'form-action': ["{dynamic}", "https:"],
+            'report-uri': ["/csp_report/"],
         }
         if 'Content-Security-Policy' in resp:
             _merge_csp(h, _parse_csp(resp['Content-Security-Policy']))

src/pretix/base/validators.py

@@ -32,6 +32,7 @@ class EventSlugBlacklistValidator(BlacklistValidator):
         '__debug__',
         'api',
         'events',
+        'csp_report',
     ]
 
 
@@ -51,4 +52,5 @@ class OrganizerSlugBlacklistValidator(BlacklistValidator):
         '__debug__',
         'about',
         'api',
+        'csp_report',
     ]

src/pretix/base/views/csp.py

@@ -0,0 +1,25 @@
+import json
+import logging
+
+from django.http import (
+    HttpResponseBadRequest, HttpResponse)
+from django.views.decorators.csrf import csrf_exempt
+
+logger = logging.getLogger('pretix.security.csp')
+
+
+@csrf_exempt
+def csp_report(request):
+    try:
+        body = json.loads(request.body.decode())
+        logger.warning(
+            'CSP violation at {r[document-uri]}\n'
+            'Referer: {r[referrer]}\n'
+            'Blocked: {r[blocked-uri]}\n'
+            'Violated: {r[violated-directive]}\n'
+            'Original polity: {r[original-policy]}'.format(r=body['csp-report'])
+        )
+    except (ValueError, KeyError) as e:
+        logger.exception('CSP report failed')
+        return HttpResponseBadRequest()
+    return HttpResponse()