From fb49bf223cc3e5fee7869e1477143c74b0e51d42 Mon Sep 17 00:00:00 2001
From: Niklas Fiekas <niklas.fiekas@backscattering.de>
Date: Thu, 9 Jul 2020 17:21:50 +0200
Subject: [PATCH] ditch csp reporting

---
 app/templating/AssetHelper.scala                    | 5 +----
 app/views/site/bits.scala                           | 2 +-
 modules/common/src/main/ContentSecurityPolicy.scala | 4 +---
 3 files changed, 3 insertions(+), 8 deletions(-)

diff --git a/app/templating/AssetHelper.scala b/app/templating/AssetHelper.scala
index 068a476fef..6bbc2bc87b 100644
--- a/app/templating/AssetHelper.scala
+++ b/app/templating/AssetHelper.scala
@@ -7,8 +7,6 @@ import lila.api.Context
 import lila.app.ui.ScalatagsTemplate._
 import lila.common.{ AssetVersion, ContentSecurityPolicy, Nonce }
 
-import scala.util.Random
-
 trait AssetHelper { self: I18nHelper with SecurityHelper =>
 
   def isProd: Boolean
@@ -135,8 +133,7 @@ trait AssetHelper { self: I18nHelper with SecurityHelper =>
       workerSrc = List("'self'", assets),
       imgSrc = List("data:", "*"),
       scriptSrc = List("'self'", assets),
-      baseUri = List("'none'"),
-      reportTo = if (Random.nextInt(1000) == 0) List("default") else Nil
+      baseUri = List("'none'")
     )
   }
 
diff --git a/app/views/site/bits.scala b/app/views/site/bits.scala
index 885d719495..2241253d26 100644
--- a/app/views/site/bits.scala
+++ b/app/views/site/bits.scala
@@ -27,7 +27,7 @@ object bits {
 <html>
   <head>
     <meta charset="utf-8">
-    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; style-src https://fonts.googleapis.com 'unsafe-inline'; font-src https://fonts.gstatic.com; script-src 'unsafe-eval' https://cdn.jsdelivr.net blob:; child-src blob:; connect-src https://raw.githubusercontent.com; img-src data: https://lichess.org https://lichess1.org; report-to default;">
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; style-src https://fonts.googleapis.com 'unsafe-inline'; font-src https://fonts.gstatic.com; script-src 'unsafe-eval' https://cdn.jsdelivr.net blob:; child-src blob:; connect-src https://raw.githubusercontent.com; img-src data: https://lichess.org https://lichess1.org;">
     <title>Lichess.org API reference</title>
     <meta name="viewport" content="width=device-width, initial-scale=1">
     <link href="https://fonts.googleapis.com/css?family=Montserrat:300,400,700|Roboto:300,400,700" rel="stylesheet">
diff --git a/modules/common/src/main/ContentSecurityPolicy.scala b/modules/common/src/main/ContentSecurityPolicy.scala
index 4df19d99eb..5fa2bfaf1c 100644
--- a/modules/common/src/main/ContentSecurityPolicy.scala
+++ b/modules/common/src/main/ContentSecurityPolicy.scala
@@ -9,8 +9,7 @@ case class ContentSecurityPolicy(
     workerSrc: List[String],
     imgSrc: List[String],
     scriptSrc: List[String],
-    baseUri: List[String],
-    reportTo: List[String]
+    baseUri: List[String]
 ) {
 
   def withNonce(nonce: Nonce) = copy(scriptSrc = nonce.scriptSrc :: scriptSrc)
@@ -81,7 +80,6 @@ case class ContentSecurityPolicy(
       "img-src "     -> imgSrc,
       "script-src "  -> scriptSrc,
       "base-uri "    -> baseUri,
-      "report-to "   -> reportTo
     ) collect {
       case (directive, sources) if sources.nonEmpty =>
         sources.mkString(directive, " ", ";")