5
0
Fork 0
mirror of https://0xacab.org/sutty/sutty synced 2024-11-22 22:46:22 +00:00
panel/app/controllers/api/v1/csp_reports_controller.rb
f 2edcf58d64
no aplicar protecciones al recibir reportes CSP
An ActionController::InvalidAuthenticityToken occurred in
csp_reports#create:

The browser returned a 'null' origin for a request with origin-based
forgery protection turned on.  This usually means you have the
'no-referrer' Referrer-Policy header enabled, or that the request came
from a site that refused to give its origin.  This makes it impossible
for Rails to verify the source of the requests.  Likely the best
solution is to change your referrer policy to something less strict like
same-origin or strict-origin.  If you cannot change the referrer policy,
you can disable origin checking with the
Rails.application.config.action_controller.forgery_protection_origin_check
setting.
2020-02-12 12:23:06 -03:00

44 lines
1.3 KiB
Ruby

# frozen_string_literal: true
module Api
module V1
# Recibe los reportes de Content Security Policy
class CspReportsController < BaseController
skip_forgery_protection
# Crea un reporte de CSP intercambiando los guiones medios por
# bajos
#
# TODO: Aplicar rate_limit
def create
csp = CspReport.new(csp_report_params.to_h.map do |k, v|
{ k.tr('-', '_') => v }
end.inject(&:merge))
csp.id = SecureRandom.uuid
csp.save
render json: {}, status: :created
end
private
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only#Violation_report_syntax
def csp_report_params
params.require(:'csp-report')
.permit(:disposition,
:referrer,
:'blocked-uri',
:'document-uri',
:'effective-directive',
:'original-policy',
:'script-sample',
:'status-code',
:'violated-directive',
:'line-number',
:'column-number',
:'source-file')
end
end
end
end