don't report csp violations by default

2023-08-04 13:06:24 -04:00 · 2023-08-04 13:06:24 -04:00 · 79756a6b0f
parent 9de375d169
commit 79756a6b0f
1 changed files with 8 additions and 1 deletions
--- a/web.go
+++ b/web.go
@ -2560,6 +2560,9 @@ func apihandler(w http.ResponseWriter, r *http.Request) {
 }

 func fiveoh(w http.ResponseWriter, r *http.Request) {
+	if !develMode {
+		return
+	}
 	fd, err := os.OpenFile("violations.json", os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0666)
 	if err != nil {
 		elog.Printf("error opening violations! %s", err)
@ -2606,7 +2609,11 @@ func bgmonitor() {

 func addcspheaders(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("Content-Security-Policy", "default-src 'none'; script-src 'self'; connect-src 'self'; style-src 'self'; img-src 'self'; media-src 'self'; report-uri /csp-violation")
+		policy := "default-src 'none'; script-src 'self'; connect-src 'self'; style-src 'self'; img-src 'self'; media-src 'self'"
+		if develMode {
+			policy += "; report-uri /csp-violation"
+		}
+		w.Header().Set("Content-Security-Policy", policy)
 		next.ServeHTTP(w, r)
 	})
 }