From 1e9bbb8fc9f1f548a7f1228bb3de49513139cd43 Mon Sep 17 00:00:00 2001
From: Fabian Meumertzheim <fabian@meumertzhe.im>
Date: Wed, 6 Nov 2024 18:53:30 +0100
Subject: [PATCH] server: Enforce CSP with `--app.strict_csp_enabled` (#7717)

There haven't been any CSP reports in dev since the latest fix. The flag
is only enabled in dev, with violations upgraded to warnings.

Also enables the flag in webdriver tests.

<!-- Optional: Provide additional context (beyond the PR title). -->

<!-- Optional: link a GitHub issue.
Example: "Fixes #123" will auto-close #123 when the PR is merged. -->

**Related issues**: buildbuddy-io/buildbuddy-internal#3911
---
 .../testutil/buildbuddy_enterprise/buildbuddy_enterprise.go  | 1 +
 server/http/csp/csp.go                                       | 2 +-
 server/http/interceptors/interceptors.go                     | 5 ++---
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/enterprise/server/testutil/buildbuddy_enterprise/buildbuddy_enterprise.go b/enterprise/server/testutil/buildbuddy_enterprise/buildbuddy_enterprise.go
index ffd1861164a..6d33f61f10f 100644
--- a/enterprise/server/testutil/buildbuddy_enterprise/buildbuddy_enterprise.go
+++ b/enterprise/server/testutil/buildbuddy_enterprise/buildbuddy_enterprise.go
@@ -99,6 +99,7 @@ func SetupWebTarget(t *testing.T, localArgs ...string) WebTarget {
 		args := append([]string{
 			"--cache.detailed_stats_enabled=true",
 			"--app.user_owned_keys_enabled=true",
+			"--app.strict_csp_enabled=true",
 		}, localArgs...)
 		return Run(t, args...)
 	case "remote":
diff --git a/server/http/csp/csp.go b/server/http/csp/csp.go
index 19f166d5b8e..66cb8fa9d84 100644
--- a/server/http/csp/csp.go
+++ b/server/http/csp/csp.go
@@ -17,7 +17,7 @@ const ReportingEndpoint = "/csp-report"
 
 var ReportingHandler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 	for _, report := range extractReports(r.Body) {
-		log.CtxDebug(r.Context(), report)
+		log.CtxWarning(r.Context(), report)
 	}
 })
 
diff --git a/server/http/interceptors/interceptors.go b/server/http/interceptors/interceptors.go
index c0d251d0dc4..76eefd01067 100644
--- a/server/http/interceptors/interceptors.go
+++ b/server/http/interceptors/interceptors.go
@@ -40,7 +40,7 @@ import (
 
 var (
 	upgradeInsecure  = flag.Bool("ssl.upgrade_insecure", false, "True if http requests should be redirected to https. Assumes http traffic is served on port 80 and https traffic is served on port 443 (typically via an ingress / load balancer).")
-	strictCspEnabled = flag.Bool("app.strict_csp_enabled", false, "If set, enable a strict CSP header in report only mode.")
+	strictCspEnabled = flag.Bool("app.strict_csp_enabled", false, "If set, set a strict CSP header. Violations are logged at warning level.")
 )
 
 const contentSecurityPolicyReportingEndpointName = "csp-endpoint"
@@ -94,8 +94,7 @@ func setContentSecurityPolicy(h http.Header) string {
 		panic(fmt.Sprintf("Failed to generate nonce: %s", err))
 	}
 	nonce := base64.StdEncoding.EncodeToString(nonceBytes)
-	// TODO: Enable this by dropping the "-Report-Only" suffix.
-	h.Set("Content-Security-Policy-Report-Only", getContentSecurityPolicyHeaderValue(nonce))
+	h.Set("Content-Security-Policy", getContentSecurityPolicyHeaderValue(nonce))
 	return nonce
 }