NAME
    RT-Extension-CSP - View Content Security Policy Reports

DESCRIPTION
    This extension helps test with and view Content Security Policy Reports
    for various CSP settings.

RT VERSION
    Works with RT 5.0.6

INSTALLATION
    perl Makefile.PL
    make
    make install
        May need root permissions

    Edit your /opt/rt4/etc/RT_SiteConfig.pm
        Add this line:

            Plugin('RT::Extension::CSP');

    Clear your mason cache
            rm -rf /opt/rt5/var/mason_data/obj

    Restart your webserver

CONFIGURATION
    Use the following to set the CSP you want to test with.

  $CSPReportURI
    By default, this is set to /NoAuth/CSP-Report.html, which is provided
    with this extension. This endpoint will accept the POSTed CSP reports
    sent by the browser and print them to your log at the debug level.

    You can set a different value if you have a custom alternate endpoint to
    send these reports to.

        Set($CSPReportURI, '/my/custom/csp-report');

    Note that this may not work in all browsers. Reports have been confirmed
    with Firefox on Mac.

    If you don't see CSP information in your RT logs, you can still set the
    headers below and use the browser console to see CSP notices.

  $CSPDirective
    The directive for the Content-Security-Policy header.

    By default, this is not set.

    Setting a value may cause RT to stop working as expected. This is
    provided as a tool to help with testing.

        Set($CSPDirective, "default-src 'none';");

    See Content Security Policy
    <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Secur
    ity-Policy> for values.

  <$CSPReportDirective>
    The directive for the Content-Security-Policy-Report-Only header.

    This will cause the browser to report CSP issues, but still render the
    page as normal.

    By default, it uses the most restrictive default-src 'none';.

    Provide only the CSP rules, including semicolons. Do not provide the
    report-to part. That is added automatically based on the $CSPReportURI.

        Set($CSPReportDirective, "default-src 'none';");

AUTHOR
    Best Practical Solutions, LLC <modules@bestpractical.com>

    All bugs should be reported via email to
        bug-RT-Extension-CSP@rt.cpan.org
    or via the web at
        http://rt.cpan.org/Public/Dist/Display.html?Name=RT-Extension-CSP
LICENSE AND COPYRIGHT
    This software is Copyright (c) 2024 by Best Practical Solutions, LLC

    This is free software, licensed under:

      The GNU General Public License, Version 2, June 1991