From d975a68641efde5743fb38f7e20a50d0906c86f7 Mon Sep 17 00:00:00 2001 From: Raphael Michel Date: Mon, 15 Jun 2020 15:11:28 +0200 Subject: [PATCH] Allow to turn off CSP reporting --- doc/admin/config.rst | 2 ++ src/pretix/base/middleware.py | 3 ++- src/pretix/settings.py | 1 + 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/doc/admin/config.rst b/doc/admin/config.rst index 550ed2f3a9..fe933b6f8f 100644 --- a/doc/admin/config.rst +++ b/doc/admin/config.rst @@ -95,6 +95,8 @@ Example:: proxy that actively removes and re-adds the header to make sure the correct value is set. Defaults to ``off``. +``csp_log`` + Log violations of the Content Security Policy (CSP). Defaults to ``on``. Locale settings --------------- diff --git a/src/pretix/base/middleware.py b/src/pretix/base/middleware.py index 0a964317fa..ce8c78ca91 100644 --- a/src/pretix/base/middleware.py +++ b/src/pretix/base/middleware.py @@ -212,8 +212,9 @@ class SecurityMiddleware(MiddlewareMixin): # single-sign-on this can be nearly anything so we cannot really restrict # this. However, we'll restrict it to HTTPS. 'form-action': ["{dynamic}", "https:"] + (['http:'] if settings.SITE_URL.startswith('http://') else []), - 'report-uri': ["/csp_report/"], } + if settings.LOG_CSP: + h['report-uri'] = ["/csp_report/"] if 'Content-Security-Policy' in resp: _merge_csp(h, _parse_csp(resp['Content-Security-Policy'])) diff --git a/src/pretix/settings.py b/src/pretix/settings.py index 6ef0031ac9..026d32a1f5 100644 --- a/src/pretix/settings.py +++ b/src/pretix/settings.py @@ -58,6 +58,7 @@ else: debug_fallback = "runserver" in sys.argv DEBUG = config.getboolean('django', 'debug', fallback=debug_fallback) +LOG_CSP = config.getboolean('pretix', 'csp_log', fallback=True) PDFTK = config.get('tools', 'pdftk', fallback=None)