rails
rails copied to clipboard
Parse `application/csp-report` by default
Summary
If report-uri
is provided in Content-Security-Policy: ...
header (e.g. When Rails.application.config.content_security_policy.report_uri
is configured), browsers will report CSP violations to report-uri
as a JSON object (schema) with a Content-Type: application/csp-report
header.
For a Rails user, If he configured config.report_uri
pointing to a Rails controller#action
, he would also have to do either one of the following:
- Write
body = JSON.parse(request.body.read)
in the corresponding controller action - Add
Mime::Type.register('application/csp-report', :json)
inconfig/intializers/mime_type.rb
Since Rails supports Content Security Policy
out of the box, I think it would be nice if application/csp-report
is also supported by default.
Other Information
This PR may be similar to #44608