Mitigate XSS Attacks with Content Security Policy

As promised, this feature was just enabled by default: CSP Frame Ancestors enabled by default

9 Likes

Hello,
I am currently setting up Google Adsense on my website and seems I am missing the “Enable CSP violation report collection at /csp_reports” settings… I am currently self-hosting Discourse on version 2.9.0.beta6

above, in quote, a screenshot of the setting I am missing


above, my setting page for CSP with the “Enable CSP violation report collection at /csp_reports” missing.

Any help is appreciated ! And please tell me if I set-up the settings I have correctly for Adsense, I never used it before :eyes: !

2 Likes

Apologies, my earlier replies here are outdated because as of ~ a month ago we made content_security_policy_collect_reports a hidden setting. You can still enable it but you need to do it via the Rails console, as in:

./launcher enter app
...
rails c 
...
SiteSetting.content_security_policy_collect_reports = true

Note that this is very noisy, I highly recommend not going down this route at all and simply enabling CSP and navigating the site with the browser console open using multiple browsers (Chrome, Firefox, Safari). You’ll find most issues that way. And with the configuration you have, you’re basically allowing almost all that CSP protects against anyway, so you shouldn’t have any need for the reports.

2 Likes