Interpret and filter CSP reports

[chadwhitacre]

With gratipay/gratipay.com#4542 we are now sending CSP reports to Sentry, which makes them much more visible. That's great! But there's a lot of them. What do they mean? How should we process them?

[chadwhitacre]

They all use the csp logger:

https://sentry.io/gratipay/gratipay-com/?query=logger%3A%22csp%22

[chadwhitacre]

[chadwhitacre]

Worst addressed in gratipay/gratipay.com#4552.

[rohitpaulk]

I've turned off notifications (slack/email) for logger:csp on Sentry due to the noise.

[chadwhitacre]

Sorta defeats the purpose, but understandable for now. 😛

[chadwhitacre]

gratipay/gratipay.com#4552 doesn't solve the style-src problem in widget.html. We're still getting CSP violations, and Chrome is showing a different hash. From https://gratipay.com/~ask/widget.html:

How is the hash computed, I wonder?

[chadwhitacre]

Ah! We have variable URLs in there, for assets.

<style>
--
  | body {
  | margin: 0;
  | padding: 0;
  | overflow: hidden;
  | }
  | button {
  | font: normal 12pt/12pt "Lato", sans-serif;
  | text-decoration: none;
  |  
  | width: auto;
  | overflow: visible;
  | display: inline-block;
  | cursor: pointer;
  |  
  | border: 1pt solid #999;
  | border-radius: 7pt;
  |  
  | background: #F7F7F6 url("https://assets.gratipay.com/button-bg.png?etag=HDqGyL5qCGOoHnue-Gh6uw~~") repeat-x bottom left;

[chadwhitacre]

Lol, and etags, so it's variable per-deploy. 🙈

[chadwhitacre]

Alright, back to the drawing board. 😛

[chadwhitacre]

@/mattrobenolt suggests (IRL at PyOhio) that we send CSP reports to a separate project for better filterability.