Content Security Policy

[tmaier]

It would be great, if you could show how to (dynamically) set the content security policy reporting URI.

For example in the demo app at https://github.com/getsentry/sentry-ruby/blob/94c28fe9a7fd1c15a10eeeb0e1c4fcac099d4166/sentry-rails/examples/rails-6.0/config/initializers/content_security_policy.rb

[st0012]

@tmaier do you mean parsing and generating the Security Header Endpoint used for CSP from the given DSN?

[tmaier]

Yes.

I believe I got it working with the secure_headers gem

My secure_headers.rb:

# Require sentry initializer so that Sentry is ready to be called within CSP
require_relative 'sentry'

SecureHeaders::Configuration.default do |config|
  # ...snip...
  if Sentry.configuration.dsn
    config.csp_report_only[:report_uri] = [
      "https://#{Sentry.configuration.dsn.host}/api/#{Sentry.configuration.dsn.project_id}/security/?sentry_key=#{Sentry.configuration.dsn.public_key}&sentry_environment=#{Sentry.configuration.environment}&sentry_release=#{Sentry.configuration.release}"
    ]
  end
end

[tmaier]

Having this officially documented would be cool, having here a public API, which generates this endpoint would be even cooler

[st0012]

@tmaier given that the SDK does hold all the information for the url, I think it's a great idea to have a helper for generating that for users. thanks for the suggestion 👍 I'll implement that soon.

[st0012]

close via #1507