add a reasonable default Content Security Policy

ideally we'd improve this over time to remove the `unsafe-inline` lines,
but we can't due that today because Angular1 makes use of a lot of
inline <script> and <style> tag generation

see: https://github.com/ansible/awx/issues/2056

awx/main/views.py

@@ -1,14 +1,20 @@
 # Copyright (c) 2015 Ansible, Inc.
 # All Rights Reserved.
 
+import json
+
 # Django
+from django.http import HttpResponse
 from django.shortcuts import render
 from django.utils.html import format_html
 from django.utils.translation import ugettext_lazy as _
+from django.views.decorators.csrf import csrf_exempt
 
 # Django REST Framework
 from rest_framework import exceptions, permissions, views
 
+import logging
+
 
 def _force_raising_exception(view_obj, request, format=None):
     raise view_obj.exception_class()
@@ -84,3 +90,10 @@ def handle_500(request):
         'content': _('A server error has occurred.'),
     }
     return handle_error(request, 500, **kwargs)
+
+
+@csrf_exempt
+def handle_csp_violation(request):
+    logger = logging.getLogger('awx')
+    logger.error(json.loads(request.body))
+    return HttpResponse(content=None)

awx/urls.py

@@ -8,6 +8,7 @@ from awx.main.views import (
     handle_403,
     handle_404,
     handle_500,
+    handle_csp_violation,
 )
 
 
@@ -20,6 +21,7 @@ urlpatterns = [
     url(r'^(?:api/)?403.html$', handle_403),
     url(r'^(?:api/)?404.html$', handle_404),
     url(r'^(?:api/)?500.html$', handle_500),
+    url(r'^csp-violation/', handle_csp_violation),
 ]
 
 if settings.SETTINGS_MODULE == 'awx.settings.development':