-
Notifications
You must be signed in to change notification settings - Fork 253
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
report-uri
sample rate
#379
Comments
I vaguely recall implementing something like this when all values accepted |
I think this would be a welcomed addition that I am just researching how to accomplish |
Both us and GitHub are now running 5.2 which supports CSP out of the box. I know we have replaced majority of In rails 5.2 we handle the sampling in the initializer Rails.application.config.content_security_policy do |policy|
# .. snip
policy.report_uri(proc { "https://collector" if Random.rand(100) < 2 })
end This doesn't work before 5.2.2 though as we had to file rails/rails#34200 in order to have |
Nay but it's certainly on our backlog. I have been trying to pass ownership of this repo on to someone else but I plan on archiving this repo in the not to far future. I hope to see someone fork this project and become the new home. This library still has value for out of date applications or non-rails applications, neither of which I support anymore. I have a strong policy against maintaining code you don't use and soon I won't be using |
One thing about CSP that I've always found extremely dangerous is it's ability to generate an enormous amount of traffic for a reporting endpoint if you hit browser bugs or use a misconfigured policy. This was a very real issue for us and something we've mitigated using a patch to only send a percentage of the reports to the reporting endpoint. We tune this number up and down based on the risk when we roll out an updated policy.
My question to the other users of
secureheaders
is whether or not this configuration option would be valuable to you? If so, I'm happy to open a PR with our base implementation and we can expand on it from there. To give you a bit of an idea around the implementation:The above configuration would then result in the
report-uri
directive for the policy only being appended 30% of the time and the remaining 70% would not have thereport-uri
directive at all.The text was updated successfully, but these errors were encountered: