FEATURE: [Experimental] Content Security Policy (#6504)

app/controllers/csp_reports_controller.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+class CspReportsController < ApplicationController
+  skip_before_action :check_xhr, :preload_json, :verify_authenticity_token, only: [:create]
+
+  def create
+    raise Discourse::NotFound unless report_collection_enabled?
+
+    Logster.add_to_env(request.env, 'CSP Report', report)
+    Rails.logger.warn("CSP Violation: '#{report['blocked-uri']}'")
+
+    head :ok
+  end
+
+  private
+
+  def report
+    @report ||= params.require('csp-report').permit(
+      'blocked-uri',
+      'disposition',
+      'document-uri',
+      'effective-directive',
+      'original-policy',
+      'referrer',
+      'script-sample',
+      'status-code',
+      'violated-directive',
+      'line-number',
+      'source-file'
+    ).to_h
+  end
+
+  def report_collection_enabled?
+    ContentSecurityPolicy.enabled? && SiteSetting.content_security_policy_collect_reports
+  end
+end