Description
One thing about CSP that I've always found extremely dangerous is it's ability to generate an enormous amount of traffic for a reporting endpoint if you hit browser bugs or use a misconfigured policy. This was a very real issue for us and something we've mitigated using a patch to only send a percentage of the reports to the reporting endpoint. We tune this number up and down based on the risk when we roll out an updated policy.
My question to the other users of secureheaders is whether or not this configuration option would be valuable to you? If so, I'm happy to open a PR with our base implementation and we can expand on it from there. To give you a bit of an idea around the implementation:
# initializer
config.csp_report_only = {
# .. snip
report_uri: %w(https://report-uri.io/example-csp-report-only)
sample_rate: 0.3 # only send 30% of violations
}The above configuration would then result in the report-uri directive for the policy only being appended 30% of the time and the remaining 70% would not have the report-uri directive at all.