From cfb9d2101481419808503200409a03213336a01e Mon Sep 17 00:00:00 2001
From: Rob Hudson <robhudson@mozilla.com>
Date: Tue, 17 Sep 2024 14:41:19 -0700
Subject: [PATCH] Also send reports for the enforced CSP

---
 bedrock/settings/__init__.py | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/bedrock/settings/__init__.py b/bedrock/settings/__init__.py
index c4ae039b0ac..047d235af29 100644
--- a/bedrock/settings/__init__.py
+++ b/bedrock/settings/__init__.py
@@ -246,8 +246,11 @@
 csp_extra_frame_src = config("CSP_EXTRA_FRAME_SRC", default="", parser=ListOf(str))
 if csp_extra_frame_src:
     _csp_child_src = list(set(_csp_child_src + csp_extra_frame_src))
+csp_report_uri = config("CSP_REPORT_URI", default="") or None
 
 CONTENT_SECURITY_POLICY = {
+    # Default report percentage to 1% just in case the env var isn't set, we don't want to bombard Sentry.
+    "REPORT_PERCENTAGE": config("CSP_REPORT_PERCENTAGE", default="1", parser=int),
     "DIRECTIVES": {
         "default-src": _csp_default_src,
         "img-src": list(set(_csp_default_src + _csp_img_src)),
@@ -258,14 +261,12 @@
         "connect-src": list(set(_csp_default_src + _csp_connect_src)),
         # support older browsers (mainly Safari)
         "frame-src": _csp_child_src,
+        "report-uri": csp_report_uri,
     },
 }
 # Only set up report-only CSP if we have a report-uri set.
-if csp_report_uri := config("CSP_REPORT_URI", default="") or None:
+if csp_report_uri:
     CONTENT_SECURITY_POLICY_REPORT_ONLY = deepcopy(CONTENT_SECURITY_POLICY)
-    # Add reporting.
-    CONTENT_SECURITY_POLICY_REPORT_ONLY["REPORT_PERCENTAGE"] = config("CSP_REPORT_PERCENTAGE", default="100", parser=int)
-    CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["report-uri"] = csp_report_uri
     # CSP directive updates we're testing that we hope to move to the enforced policy.
     CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["frame-ancestors"] = [csp.constants.NONE]
     CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["style-src"].remove(csp.constants.UNSAFE_INLINE)