OTWO-7218 Add CSP headers[report only] (#1785)

app/controllers/csp_violation_reports_controller.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+class CspViolationReportsController < ApplicationController
+  skip_before_action :verify_authenticity_token
+
+  def report
+    notify_airbrake(request.raw_post)
+    head :ok
+  end
+end

config/initializers/content_security_policy.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+allowed_script_sources = %w[www.google.com cdn.firebase.com www.gstatic.com s7.addthis.com cdnjs.cloudflare.com]
+
+Rails.application.config.content_security_policy do |policy|
+  policy.default_src :self, :https
+  policy.font_src :self, :https, :data
+  policy.img_src :self, :https, :data
+  policy.object_src :none
+  policy.script_src :self, :https, :unsafe_eval, *allowed_script_sources
+  policy.style_src :self, :https, :unsafe_inline
+  policy.report_uri '/csp-violation-report'
+end
+
+Rails.application.config.content_security_policy_report_only = true

config/routes.rb

@@ -34,6 +34,8 @@
   post 'sessions' => 'sessions#create', as: :oh_sessions
   get 'health' => 'sessions#health'
 
+  post '/csp-violation-report' => 'csp_violation_reports#report'
+
   resources :stack_entries, only: :new
 
   resources :activation_resends, only: %i[new create]

test/controllers/csp_violation_reports_controller_test.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+class CspViolationReportsControllerTest < ActionController::TestCase
+  it 'must notify errbit' do
+    @controller.expects(:notify_airbrake).once
+    post :report
+  end
+end