panel/app/controllers/api/v1/csp_reports_controller.rb

# frozen_string_literal: true

module Api
  module V1
    # Recibe los reportes de Content Security Policy
    class CspReportsController < BaseController
      skip_forgery_protection

      # Crea un reporte de CSP intercambiando los guiones medios por
      # bajos
      #
      # TODO: Aplicar rate_limit
      def create
        csp = CspReport.new(csp_report_params.to_h.map do |k, v|
                              { k.tr('-', '_') => v }
                            end.inject(&:merge))

        csp.id = SecureRandom.uuid
        csp.save

        render json: {}, status: :created
      end

      private

      # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only#Violation_report_syntax
      def csp_report_params
        params.require(:'csp-report')
              .permit(:disposition,
                      :referrer,
                      :'blocked-uri',
                      :'document-uri',
                      :'effective-directive',
                      :'original-policy',
                      :'script-sample',
                      :'status-code',
                      :'violated-directive',
                      :'line-number',
                      :'column-number',
                      :'source-file')
      end
    end
  end
end
Content Security Policy 2020-02-06 16:11:17 +00:00			`# frozen_string_literal: true`

			`module Api`
			`module V1`
			`# Recibe los reportes de Content Security Policy`
			`class CspReportsController < BaseController`
no aplicar protecciones al recibir reportes CSP An ActionController::InvalidAuthenticityToken occurred in csp_reports#create: The browser returned a 'null' origin for a request with origin-based forgery protection turned on. This usually means you have the 'no-referrer' Referrer-Policy header enabled, or that the request came from a site that refused to give its origin. This makes it impossible for Rails to verify the source of the requests. Likely the best solution is to change your referrer policy to something less strict like same-origin or strict-origin. If you cannot change the referrer policy, you can disable origin checking with the Rails.application.config.action_controller.forgery_protection_origin_check setting. 2020-02-12 15:22:37 +00:00			`skip_forgery_protection`

Content Security Policy 2020-02-06 16:11:17 +00:00			`# Crea un reporte de CSP intercambiando los guiones medios por`
			`# bajos`
			`#`
			`# TODO: Aplicar rate_limit`
			`def create`
			`csp = CspReport.new(csp_report_params.to_h.map do \|k, v\|`
			`{ k.tr('-', '_') => v }`
			`end.inject(&:merge))`

			`csp.id = SecureRandom.uuid`
			`csp.save`

			`render json: {}, status: :created`
			`end`

			`private`

			`# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only#Violation_report_syntax`
			`def csp_report_params`
			`params.require(:'csp-report')`
			`.permit(:disposition,`
			`:referrer,`
			`:'blocked-uri',`
			`:'document-uri',`
			`:'effective-directive',`
			`:'original-policy',`
			`:'script-sample',`
			`:'status-code',`
			`:'violated-directive',`
			`:'line-number',`
			`:'column-number',`
			`:'source-file')`
			`end`
			`end`
			`end`
			`end`