From 53849b50b24dcba3075e2d39d1cb9eecf7995fb2 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Tue, 22 May 2018 09:01:13 +0100
Subject: [PATCH 1/1] Put CSP in enforcing mode

---
 cookbooks/web/recipes/rails.rb        | 2 +-
 cookbooks/web/resources/rails_port.rb | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/cookbooks/web/recipes/rails.rb b/cookbooks/web/recipes/rails.rb
index d5f34cbf7..ab6c4e7f2 100644
--- a/cookbooks/web/recipes/rails.rb
+++ b/cookbooks/web/recipes/rails.rb
@@ -90,7 +90,7 @@ rails_port "www.openstreetmap.org" do
   mapzen_valhalla_key web_passwords["mapzen_valhalla_key"]
   thunderforest_key web_passwords["thunderforest_key"]
   totp_key web_passwords["totp_key"]
-  csp_report_url "https://openstreetmap.report-uri.io/r/default/csp/reportOnly"
+  csp_enforce true
 end
 
 package "libjson-xs-perl"
diff --git a/cookbooks/web/resources/rails_port.rb b/cookbooks/web/resources/rails_port.rb
index d53cac881..1c95dd8dc 100644
--- a/cookbooks/web/resources/rails_port.rb
+++ b/cookbooks/web/resources/rails_port.rb
@@ -65,6 +65,7 @@ property :mapquest_key, String
 property :mapzen_valhalla_key, String
 property :thunderforest_key, String
 property :totp_key, String
+property :csp_enforce, [TrueClass, FalseClass], :default => false
 property :csp_report_url, String
 property :piwik_configuration, Hash
 
@@ -264,6 +265,10 @@ action :create do
       line.gsub!(/^( *)#totp_key:.*$/, "\\1totp_key: \"#{new_resource.totp_key}\"")
     end
 
+    if new_resource.csp_enforce
+      line.gsub!(/^( *)csp_enforce:.*$/, "\\1csp_enforce: \"#{new_resource.csp_enforce}\"")
+    end
+
     if new_resource.csp_report_url
       line.gsub!(/^( *)#csp_report_url:.*$/, "\\1csp_report_url: \"#{new_resource.csp_report_url}\"")
     end
-- 
2.43.2