Merge pull request #3933 from overleaf/ae-csp-report-percentage

Add CSP_REPORT_PERCENTAGE

GitOrigin-RevId: 4afde0da6e3660c83df8c5c9cd31a3f246e9e572

services/web/app/src/infrastructure/CSP.js

@@ -3,6 +3,7 @@ const path = require('path')
 
 module.exports = function ({
   reportUri,
+  reportPercentage,
   reportOnly = false,
   exclude = [],
   percentage
@@ -29,7 +30,10 @@ module.exports = function ({
           `base-uri 'none'`
         ]
 
-        if (reportUri) {
+        // enable the report URI for a percentage of CSP-enabled requests
+        const belowReportCutoff = Math.random() * 100 <= reportPercentage
+
+        if (reportUri && belowReportCutoff) {
           directives.push(`report-uri ${reportUri}`)
           // NOTE: implement report-to once it's more widely supported
         }

services/web/config/settings.defaults.coffee

@@ -736,6 +736,7 @@ module.exports = settings =
 		percentage: parseFloat(process.env.CSP_PERCENTAGE) || 0
 		enabled: process.env.CSP_ENABLED == 'true'
 		reportOnly: process.env.CSP_REPORT_ONLY == 'true'
+		reportPercentage: parseFloat(process.env.CSP_REPORT_PERCENTAGE) || 0
 		reportUri: process.env.CSP_REPORT_URI
 		exclude: [
 			'app/views/project/editor',