add report only csp policy and report endpoint #1860
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tkadlec
reviewed
May 20, 2022
tkadlec
reviewed
May 20, 2022
jefflembeck
reviewed
May 20, 2022
| <?php | ||
|
|
||
| // Start configure | ||
| $log_file = dirname(__FILE__) . '/csp-violations.log'; |
There was a problem hiding this comment.
Let's make sure we add this to the .gitignore so we don't have any issues with our deployments
There was a problem hiding this comment.
probably ok to target any logs?
jefflembeck
reviewed
May 20, 2022
| $json_data . | ||
| "\n\nFurther CPS violations will be logged to the following log file, but no further email notifications will be sent until this log file is deleted:\n\n" . | ||
| $log_file; | ||
| mail( |
There was a problem hiding this comment.
Does this use the main (blocking) process? I'm worried about having 2000 users on the site and all of these going off at the same time.
jefflembeck
reviewed
May 20, 2022
| // Start configure | ||
| $log_file = dirname(__FILE__) . '/csp-violations.log'; | ||
| $log_file_size_limit = 1000000; // bytes - once exceeded no further entries are added | ||
| $email_address = '[email protected]'; |
There was a problem hiding this comment.
oh god sue i'm so sorry
There was a problem hiding this comment.
haha yeah I was going to ask.. can we use a different email
|
Setting this to BLOCKED, because it requires some server configurations for logging. |
deathbearbrown
force-pushed
the
add-csp-report-only
branch
from
07b5ebc
to
f6de094
Compare
Update the signup-flow header for smaller screens
Bumps [guzzlehttp/guzzle](https://github.com/guzzle/guzzle) from 7.4.2 to 7.4.3. - [Release notes](https://github.com/guzzle/guzzle/releases) - [Changelog](https://github.com/guzzle/guzzle/blob/master/CHANGELOG.md) - [Commits](guzzle/guzzle@7.4.2...7.4.3) --- updated-dependencies: - dependency-name: guzzlehttp/guzzle dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>
…lehttp/guzzle-7.4.3 chore(deps): bump guzzlehttp/guzzle from 7.4.2 to 7.4.3
chore(update): from dependabot
deathbearbrown
force-pushed
the
add-csp-report-only
branch
from
f6de094
to
3d72953
Compare
If a user is WPT Enterprise, they do not have a braintree id and thus get access denied when querying for braintree transaction history. This is bad because our graphql client blows up on ANY errors existing. So, let's make a different query if somebody is wpt enterprise to not query for that if they are
make sure account.css has versioning for all references
fix(csrf): get the token on every page, check the post only on accoun…
deathbearbrown
force-pushed
the
add-csp-report-only
branch
from
3d72953
to
762adb6
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Nightmare linter strikes again.
Loves them 4 space tabs.
Common.inc line 62-74 is the csp header and I added a report endpoint which will create a log file.