From 868fc930125c7d3f115aa09fc1921c8280c0f4c8 Mon Sep 17 00:00:00 2001
From: Alf Eaton <alf.eaton@overleaf.com>
Date: Wed, 2 Oct 2024 10:30:47 +0100
Subject: [PATCH] Add report-to CSP directive (#20567)

GitOrigin-RevId: 28ba23aee10deec14de5c520cb277fa10bee118c
---
 services/web/app/src/infrastructure/CSP.js | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/services/web/app/src/infrastructure/CSP.js b/services/web/app/src/infrastructure/CSP.js
index 28f4f380d3..436cdd1bb0 100644
--- a/services/web/app/src/infrastructure/CSP.js
+++ b/services/web/app/src/infrastructure/CSP.js
@@ -16,6 +16,9 @@ module.exports = function ({
   return function (req, res, next) {
     // set the default policy
     res.set(header, defaultPolicy)
+    if (reportUri) {
+      res.set('Reporting-Endpoints', `csp-endpoint="${reportUri}"`)
+    }
 
     const originalRender = res.render
 
@@ -25,6 +28,7 @@ module.exports = function ({
       if (exclude.includes(view)) {
         // remove the default policy
         res.removeHeader(header)
+        res.removeHeader('Reporting-Endpoints')
       } else {
         // set the view policy
         res.locals.cspEnabled = true
@@ -58,7 +62,7 @@ const buildDefaultPolicy = (reportUri, styleSrc) => {
 
   if (reportUri) {
     directives.push(`report-uri ${reportUri}`)
-    // NOTE: implement report-to once it's more widely supported
+    directives.push(`report-to csp-endpoint`)
   }
 
   if (styleSrc) {
@@ -81,7 +85,7 @@ const buildViewPolicy = (scriptNonce, reportPercentage, reportUri) => {
 
     if (belowReportCutoff) {
       directives.push(`report-uri ${reportUri}`)
-      // NOTE: implement report-to once it's more widely supported
+      directives.push(`report-to csp-endpoint`)
     }
   }