csp: add a config option to set the CSP in report-only mode

pietroalbini · pietroalbini · commit 7939aca5d9ee · 2021-04-08T13:25:21.000+02:00
diff --git a/src/config.rs b/src/config.rs
@@ -47,6 +47,9 @@ pub struct Config {
     // For unit-tests the number has to be higher.
     pub(crate) random_crate_search_view_size: u32,
 
+    // Content Security Policy
+    pub(crate) csp_report_only: bool,
+
     // Build params
     pub(crate) build_attempts: u16,
     pub(crate) rustwide_workspace: PathBuf,
@@ -96,6 +99,8 @@ impl Config {
 
             random_crate_search_view_size: env("DOCSRS_RANDOM_CRATE_SEARCH_VIEW_SIZE", 500)?,
 
+            csp_report_only: env("DOCSRS_CSP_REPORT_ONLY", false)?,
+
             rustwide_workspace: env("CRATESFYI_RUSTWIDE_WORKSPACE", PathBuf::from(".workspace"))?,
             inside_docker: env("DOCS_RS_DOCKER", false)?,
             local_docker_image: maybe_env("DOCS_RS_LOCAL_DOCKER_IMAGE")?,
diff --git a/src/web/csp.rs b/src/web/csp.rs
@@ -1,3 +1,4 @@
+use crate::config::Config;
 use iron::{AfterMiddleware, BeforeMiddleware, IronResult, Request, Response};
 
 pub(super) struct Csp {
@@ -94,6 +95,11 @@ impl BeforeMiddleware for CspMiddleware {
 
 impl AfterMiddleware for CspMiddleware {
     fn after(&self, req: &mut Request, mut res: Response) -> IronResult<Response> {
+        let config = req
+            .extensions
+            .get::<Config>()
+            .expect("missing Config")
+            .clone();
         let csp = req.extensions.get_mut::<Csp>().expect("missing CSP");
 
         let content_type = res
@@ -110,7 +116,14 @@ impl AfterMiddleware for CspMiddleware {
 
         if let Some(rendered) = csp.render(preset) {
             res.headers.set_raw(
-                "Content-Security-Policy",
+                // The Report-Only header tells the browser to just log CSP failures instead of
+                // actually enforcing them. This is useful to check if the CSP works without
+                // impacting production traffic.
+                if config.csp_report_only {
+                    "Content-Security-Policy-Report-Only"
+                } else {
+                    "Content-Security-Policy"
+                },
                 vec![rendered.as_bytes().to_vec()],
             );
         }
