As promised, this feature was just enabled by default: CSP Frame Ancestors enabled by default
I am currently setting up Google Adsense on my website and seems I am missing the “Enable CSP violation report collection at /csp_reports” settings… I am currently self-hosting Discourse on version 2.9.0.beta6
above, in quote, a screenshot of the setting I am missing
above, my setting page for CSP with the “Enable CSP violation report collection at /csp_reports” missing.
Any help is appreciated ! And please tell me if I set-up the settings I have correctly for Adsense, I never used it before !
Apologies, my earlier replies here are outdated because as of ~ a month ago we made
content_security_policy_collect_reports a hidden setting. You can still enable it but you need to do it via the Rails console, as in:
./launcher enter app ... rails c ... SiteSetting.content_security_policy_collect_reports = true
Note that this is very noisy, I highly recommend not going down this route at all and simply enabling CSP and navigating the site with the browser console open using multiple browsers (Chrome, Firefox, Safari). You’ll find most issues that way. And with the configuration you have, you’re basically allowing almost all that CSP protects against anyway, so you shouldn’t have any need for the reports.