diff --git a/IPython/html/base/handlers.py b/IPython/html/base/handlers.py
index e6e5cd1..6b34488 100644
--- a/IPython/html/base/handlers.py
+++ b/IPython/html/base/handlers.py
@@ -32,6 +32,8 @@ from IPython.utils.path import filefind
from IPython.utils.py3compat import string_types
from IPython.html.utils import is_hidden, url_path_join, url_escape
+from IPython.html.services.security.handlers import csp_report_uri
+
#-----------------------------------------------------------------------------
# Top-level handlers
#-----------------------------------------------------------------------------
@@ -46,8 +48,20 @@ class AuthenticatedHandler(web.RequestHandler):
headers = self.settings.get('headers', {})
if "Content-Security-Policy" not in headers:
- headers["Content-Security-Policy"] = "default-src 'self'"
+ #headers["Content-Security-Policy"] = ""
+ pass
+
+ if "Content-Security-Policy-Report-Only" not in headers:
+
+ reporter_policy = ("default-src 'self'; " +
+ "report-uri " + url_path_join(self.base_url, csp_report_uri) +
+ ";"
+ )
+ self.log.info(reporter_policy)
+
+ headers["Content-Security-Policy-Report-Only"] = reporter_policy
+ # Allow for overriding headers
for header_name,value in headers.items() :
try:
self.set_header(header_name, value)
diff --git a/IPython/html/services/security/handlers.py b/IPython/html/services/security/handlers.py
index 1b842ed..120279f 100644
--- a/IPython/html/services/security/handlers.py
+++ b/IPython/html/services/security/handlers.py
@@ -1,5 +1,11 @@
-#!/usr/bin/env python
-# -*- coding: utf-8 -*-
+"""Tornado handlers for security logging."""
+
+# Copyright (c) IPython Development Team.
+# Distributed under the terms of the Modified BSD License.
+
+from tornado import gen, web
+
+from ...base.handlers import IPythonHandler, json_errors
class CSPReportHandler(IPythonHandler):
'''Accepts a content security policy violation report'''