Update forward_endpoint use

It actually makes sense now

app/controllers/content_security_policy_controller.rb

@@ -7,13 +7,13 @@ class ContentSecurityPolicyController < ActionController::Base
   def scribe
     csp = ::SecureHeaders::Configuration.csp
 
-    report_uri = csp[:report_uri] if csp
-    if report_uri.nil?
+    forward_endpoint = csp[:forward_endpoint] if csp
+    if forward_endpoint.nil?
       head :ok
       return
     end
 
-    uri = URI.parse(report_uri)
+    uri = URI.parse(forward_endpoint)
     http = Net::HTTP.new(uri.host, uri.port)
     if uri.scheme == 'https'
       use_ssl(http)
@@ -31,7 +31,7 @@ class ContentSecurityPolicyController < ActionController::Base
 
     head :ok
   rescue StandardError => e
-    Rails.logger.warn("Unable to POST CSP report to #{report_uri} because #{e}") if defined?(Rails.logger)
+    Rails.logger.warn("Unable to POST CSP report to #{forward_endpoint} because #{e}") if defined?(Rails.logger)
     head :bad_request
   end
 

lib/secure_headers/headers/content_security_policy.rb

@@ -56,7 +56,7 @@ module SecureHeaders
       @report_uri = @config.delete(:report_uri)
 
       normalize_csp_options
-      normalize_reporting_endpoint if report_uri && forward_endpoint
+      normalize_reporting_endpoint if forward_endpoint
       filter_unsupported_directives
     end
 
@@ -182,9 +182,8 @@ module SecureHeaders
     # or only a path was supplied (in which case we assume cross-host)
     # we need to forward the request for Firefox.
     def normalize_reporting_endpoint
-      # can't use supports_standard because FF18 does not support cross-origin posting.
       if browser.firefox? && (!same_origin? || URI.parse(report_uri).host.nil?)
-        @report_uri = (@forward_endpoint || FF_CSP_ENDPOINT)
+        @report_uri = FF_CSP_ENDPOINT
       end
     end
 

spec/controllers/content_security_policy_controller_spec.rb

@@ -14,9 +14,10 @@ describe ContentSecurityPolicyController do
   describe "#csp" do
     let(:request) { double().as_null_object }
     let(:endpoint) { "https://example.com" }
+    let(:secondary_endpoint) { "https://internal.example.com" }
 
     before(:each) do
-      SecureHeaders::Configuration.stub(:csp).and_return(:report_uri => endpoint)
+      SecureHeaders::Configuration.stub(:csp).and_return({:report_uri => endpoint, :forward_endpoint => secondary_endpoint})
       subject.should_receive :head
       subject.stub(:params).and_return(params)
       Net::HTTP.any_instance.stub(:request)
@@ -24,7 +25,6 @@ describe ContentSecurityPolicyController do
 
     context "delivery endpoint" do
       it "posts over ssl" do
-        SecureHeaders::Configuration.stub(:csp).and_return(:report_uri => endpoint)
         subject.should_receive(:use_ssl)
         subject.scribe
       end
@@ -43,8 +43,8 @@ describe ContentSecurityPolicyController do
       subject.scribe
     end
 
-    it "POSTs to the configured host" do
-      Net::HTTP::Post.should_receive(:new).with(endpoint).and_return(request)
+    it "POSTs to the configured forward_endpoint" do
+      Net::HTTP::Post.should_receive(:new).with(secondary_endpoint).and_return(request)
       subject.scribe
     end
 

spec/lib/secure_headers/headers/content_security_policy_spec.rb

@@ -289,12 +289,6 @@ module SecureHeaders
           csp = ContentSecurityPolicy.new(request_for(FIREFOX_18), default_opts)
           csp.value.should =~ /default-src/
         end
-
-        # cross-host posting not allowed in FF < 18
-        it "changes the report-uri to the local forwarder path if cross-host" do
-          csp = ContentSecurityPolicy.new(request_for(FIREFOX), @options_with_forwarding)
-          csp.value.should =~ /report-uri #{@options_with_forwarding[:forward_endpoint]};/
-        end
       end
 
       context "X-Webkit-CSP" do