Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reporting Content Security Policy violations to Sentry #519

Closed
connorshea opened this issue Jul 5, 2016 · 2 comments
Closed

Reporting Content Security Policy violations to Sentry #519

connorshea opened this issue Jul 5, 2016 · 2 comments

Comments

@connorshea
Copy link

CSP violation reporting is implemented in Sentry, but I'm not sure how to report them from the Ruby gem: getsentry/sentry#2154

I'm using the secure_headers gem and need to pass the Sentry API URL to the report_uri field (it can change depending on the installation so we can't hardcode it).

Is support for this implemented in raven-ruby, and if not is there a way to access the URL from the Rails app? I've looked through the documentation a few times but have come up empty.

Sorry about asking a support question in the issue tracker, if there's somewhere better to ask this I'll gladly go there.
@dcramer
Copy link
Member

dcramer commented Jul 5, 2016

@connorshea we have no helper function to do this in the SDK at the moment. It's actually not required to even have the Ruby SDK to enable CSP reports. I'd suggest configuring the public DSN somewhere based on the environment (I'm not a big Ruby user, so I can't suggest where), and just passing that in with your configuration. In Django we do this in our settings.py, as well as create a setting which lets us change the CSP rules without going in and updating a middleware:

CSP_REPORT_URL = '...'
CSP_HEADER = (
    'Content-Security-Policy', (
        ('default-src', (
            '*',
        )),
        ('script-src', (
            "'self'",
            "'unsafe-eval'",
            "'unsafe-inline'",
            STATIC_HOST,
            'cdn.ravenjs.com',
            'assets.zendesk.com',
            'ajax.googleapis.com',
            'ssl.google-analytics.com',
            'www.googleadservices.com',
            'analytics.twitter.com',
            'platform.twitter.com',
            '*.pingdom.net',
            's.adroll.com',
            'd.adroll.com',
            'js.stripe.com',
            'statuspage-production.s3.amazonaws.com',
            's3.amazonaws.com',
            '*.google.com',
            'www.gstatic.com',
            'aui-cdn.atlassian.com',
            'www.hipchat.com',
        )),
        ('style-src', (
            "'self'",
            "'unsafe-inline'",
            STATIC_HOST,
            's3.amazonaws.com',
            'aui-cdn.atlassian.com',
            'www.hipchat.com',
        )),
        ('img-src', (
            '*',
            'data:'
        )),
        ('report-uri', (
            CSP_REPORT_URL,
        )),
    )
)

Our middleware then just injects that value:

class CspHeaderMiddleware(object):
    def __init__(self):
        CSP_HEADER = getattr(settings, 'CSP_HEADER', None)
        self.key = CSP_HEADER[0]
        self.value = '; '.join(map(lambda h: '%s %s' % (h[0], ' '.join(h[1])), CSP_HEADER[1]))

    def process_response(self, request, response):
        if response.get('Content-Type', '')[:9] == 'text/html':
            response[self.key] = self.value
        return response

(middleware in Django is similar to Rack middleware in Ruby)

@dcramer dcramer closed this as completed Jul 5, 2016
@connorshea
Copy link
Author

Thanks for the help @dcramer :)

alexford pushed a commit to alexford/raven-ruby that referenced this issue Jan 1, 2017
@mislav
Merge branch 'cleanup-rakefile'
94c2dae 
Closes getsentry#519
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dcramer @connorshea