CSP report handler in example app

[rviscomi]

Hi, I just started using flask-talisman for enforcing HTTPS on my site, but now I'm eager to take advantage of CSP. A couple of questions about CSP reporting:

Regarding content_security_policy_report_uri, MDN says that it's deprecated despite being widely supported, in favor of report-to which isn't even supported anywhere. Is this considered a stable/supported feature of flask-talisman?

Assuming I set up a report-uri directive, I'm not sure what to do with it on the server side. Could you add a demo to the example app showing how to ingest CSP reports and do something useful with them, like logging to Stackdriver, etc?

Do you have any plans to provide a default built-in CSP report handler?

[theacodes]

Hi @rviscomi. Any features or enhancements here would have to be done by volunteers. I'm happy to help review and guide, but I won't be personally adding any major new features.

If you're up for taking this on, go for it! Otherwise, I'll leave this here in case others want to take it on.

[Heisendev]

@rviscomi that's what we do in my company, we send the data to the GCP logging

@bp.route('/csp-report', methods=['POST'])
def csp_report():
    report = request.get_data()
    logged_report_dict = {}
    try:
        logged_report_dict['extra_data'] = json.loads(report)
    except json.decoder.JSONDecodeError:
        current_app.logger.warning('Invalid csp-report payload: %s', str(report))
    else:
        current_app.logger.critical(
            'Invalid script detected: %s',
            logged_report_dict['extra_data']['csp-report']['blocked-uri'],
            extra=logged_report_dict
        )
    return report```

[Heisendev]

i don't think using the report-to directive while it isn’t as supported as the report-uri directive.

i can make a PR to add this directive though