From efa490a50f5849205645384ee7910764bf929794 Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Sat, 10 Mar 2018 14:34:14 +0100
Subject: [PATCH] Add config option for report URI in CSP

This option is needed as it's currently not possible to add an report
URI by the directives array. This option also allows to get CSP reports
not only on docker based setup but also on our heroku instances.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
---
 README.md                 | 1 +
 lib/config/default.js     | 3 ++-
 lib/config/environment.js | 3 ++-
 lib/csp.js                | 7 +++++++
 4 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index e65eec3..7c577bb 100644
--- a/README.md
+++ b/README.md
@@ -207,6 +207,7 @@ There are some config settings you need to change in the files below.
 | `HMD_HSTS_MAX_AGE` | `31536000` | max duration in seconds to tell clients to keep HSTS status (default is a year) |
 | `HMD_HSTS_PRELOAD` | `true` | whether to allow preloading of the site's HSTS status (e.g. into browsers) |
 | `HMD_CSP_ENABLE` | `true` | whether to enable Content Security Policy (directives cannot be configured with environment variables) |
+| `HMD_CSP_REPORTURI` | `https://<someid>.report-uri.com/r/d/csp/enforce` | Allows to add a URL for CSP reports in case of violations |
 
 ## Application settings `config.json`
 
diff --git a/lib/config/default.js b/lib/config/default.js
index 06e887f..7407ec6 100644
--- a/lib/config/default.js
+++ b/lib/config/default.js
@@ -18,7 +18,8 @@ module.exports = {
     directives: {
     },
     addDefaults: true,
-    upgradeInsecureRequests: 'auto'
+    upgradeInsecureRequests: 'auto',
+    reportURI: undefined
   },
   protocolusessl: false,
   usecdn: true,
diff --git a/lib/config/environment.js b/lib/config/environment.js
index b83c67e..34049fb 100644
--- a/lib/config/environment.js
+++ b/lib/config/environment.js
@@ -15,7 +15,8 @@ module.exports = {
     preload: toBooleanConfig(process.env.HMD_HSTS_PRELOAD)
   },
   csp: {
-    enable: toBooleanConfig(process.env.HMD_CSP_ENABLE)
+    enable: toBooleanConfig(process.env.HMD_CSP_ENABLE),
+    reportURI: process.env.HMD_CSP_REPORTURI
   },
   protocolusessl: toBooleanConfig(process.env.HMD_PROTOCOL_USESSL),
   alloworigin: toArrayConfig(process.env.HMD_ALLOW_ORIGIN),
diff --git a/lib/csp.js b/lib/csp.js
index 509bc53..b46ae8e 100644
--- a/lib/csp.js
+++ b/lib/csp.js
@@ -30,6 +30,7 @@ CspStrategy.computeDirectives = function () {
     addInlineScriptExceptions(directives)
   }
   addUpgradeUnsafeRequestsOptionTo(directives)
+  addReportURI(directives)
   return directives
 }
 
@@ -72,6 +73,12 @@ function addUpgradeUnsafeRequestsOptionTo (directives) {
   }
 }
 
+function addReportURI (directives) {
+  if (config.csp.reportURI) {
+    directives.reportUri = config.csp.reportURI
+  }
+}
+
 CspStrategy.addNonceToLocals = function (req, res, next) {
   res.locals.nonce = uuid.v4()
   next()