Allow to turn off CSP reporting

doc/admin/config.rst

@@ -95,6 +95,8 @@ Example::
     proxy that actively removes and re-adds the header to make sure the correct value is set.
     Defaults to ``off``.
 
+``csp_log``
+    Log violations of the Content Security Policy (CSP). Defaults to ``on``.
 
 Locale settings
 ---------------

src/pretix/base/middleware.py

@@ -212,8 +212,9 @@ class SecurityMiddleware(MiddlewareMixin):
             # single-sign-on this can be nearly anything so we cannot really restrict
             # this. However, we'll restrict it to HTTPS.
             'form-action': ["{dynamic}", "https:"] + (['http:'] if settings.SITE_URL.startswith('http://') else []),
-            'report-uri': ["/csp_report/"],
         }
+        if settings.LOG_CSP:
+            h['report-uri'] = ["/csp_report/"]
         if 'Content-Security-Policy' in resp:
             _merge_csp(h, _parse_csp(resp['Content-Security-Policy']))
 

src/pretix/settings.py

@@ -58,6 +58,7 @@ else:
 
 debug_fallback = "runserver" in sys.argv
 DEBUG = config.getboolean('django', 'debug', fallback=debug_fallback)
+LOG_CSP = config.getboolean('pretix', 'csp_log', fallback=True)
 
 PDFTK = config.get('tools', 'pdftk', fallback=None)