Log warning if report_only is enabled with no report_uri

Author: xtian

lib/plug_content_security_policy.ex

@@ -57,6 +57,11 @@ defmodule PlugContentSecurityPolicy do
     field_value = Enum.map_join(config.directives, "; ", &convert_tuple/1) <> ";"
 
     if config.report_only do
+      _ =
+        unless config.directives[:report_uri] do
+          Logger.warn("#{__MODULE__}: `report_only` enabled but no `report_uri` specified")
+        end
+
       {@report_field, field_value}
     else
       {@default_field, field_value}

test/plug_content_security_policy_test.exs

@@ -105,5 +105,25 @@ defmodule PlugContentSecurityPolicyTest do
 
       assert log =~ "[warn]"
     end
+
+    test "logs warning if report_only is enabled with no report_uri directive ", %{conn: conn} do
+      log =
+        capture_log(fn ->
+          PlugCSP.call(conn, %{directives: %{}, nonces_for: [], report_only: true})
+        end)
+
+      assert log =~ "[warn]"
+
+      log =
+        capture_log(fn ->
+          PlugCSP.call(conn, %{
+            directives: %{report_uri: "http://example.com"},
+            nonces_for: [],
+            report_only: true
+          })
+        end)
+
+      assert log == ""
+    end
   end
 end