source: admin/csp_report.php @ 3324:97f1652d6e7f

<?php
// From: https://github.com/nico3333fr/CSP-useful
//
// Note: this script requires PHP ≥ 5.4.
// Inspired from https://mathiasbynens.be/notes/csp-reports

// Dareboost wants it? Not a problem.
header('X-Content-Type-Options: "nosniff"');

require dirname(__FILE__).'/../inc/admin/prepend.php';

// Specify log file
define('LOGFILE',path::real(DC_TPL_CACHE).'/csp_report.txt');

// Get the raw POST data
$data = file_get_contents('php://input');

// Only continue if it’s valid JSON that is not just `null`, `0`, `false` or an
// empty string, i.e. if it could be a CSP violation report.
if ($data = json_decode($data, true)) {

     // get source-file and blocked-URI to perform some tests
     $source_file   = $data['csp-report']['source-file'];
     $blocked_uri   = $data['csp-report']['blocked-uri'];

     if (

     // avoid false positives notifications coming from Chrome extensions (Wappalyzer, MuteTab, etc.)
     // bug here https://code.google.com/p/chromium/issues/detail?id=524356
     strpos($source_file, 'chrome-extension://') === false

     // avoid false positives notifications coming from Safari extensions (diigo, evernote, etc.)
     && strpos($source_file, 'safari-extension://') === false

     // search engine extensions ?
     && strpos($source_file, 'se-extension://') === false

     // added by browsers in webviews
     && strpos($blocked_uri, 'webviewprogressproxy://') === false

      ) {
               // Prettify the JSON-formatted data
               $data = json_encode(
                         $data,
                         JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES
                         );

               if (!($fp = @fopen(LOGFILE,'a'))) {
                    return;
               }
               fprintf($fp,'%s',$data);
          }
}