Allow to turn off CSP reporting

2020-06-15 15:11:28 +02:00
parent c992de341f
commit d975a68641
3 changed files with 5 additions and 1 deletions
--- a/src/pretix/base/middleware.py
+++ b/src/pretix/base/middleware.py
@@ -212,8 +212,9 @@ class SecurityMiddleware(MiddlewareMixin):
            # single-sign-on this can be nearly anything so we cannot really restrict
            # this. However, we'll restrict it to HTTPS.
            'form-action': ["{dynamic}", "https:"] + (['http:'] if settings.SITE_URL.startswith('http://') else []),
-            'report-uri': ["/csp_report/"],
        }
+        if settings.LOG_CSP:
+            h['report-uri'] = ["/csp_report/"]
        if 'Content-Security-Policy' in resp:
            _merge_csp(h, _parse_csp(resp['Content-Security-Policy']))

--- a/src/pretix/settings.py
+++ b/src/pretix/settings.py
@@ -58,6 +58,7 @@ else:

 debug_fallback = "runserver" in sys.argv
 DEBUG = config.getboolean('django', 'debug', fallback=debug_fallback)
+LOG_CSP = config.getboolean('pretix', 'csp_log', fallback=True)

 PDFTK = config.get('tools', 'pdftk', fallback=None)