Kyfast/report to directive #557
Conversation
…ount for backwards compatibility with report-uri
|
Hi @tmaier thanks for your interest in secure_headers. I'm a maintainer and I've been testing all of the open PRs manually for compatibility. When I was testing #556 I noticed that implementation doesn’t deep copy reporting_endpoints in the dup method, unlike this implementation. I found that the reporting-endpoints header wasn’t always preserved on pages where overrides were used. When the config is overridden, the reporting endpoints might get dropped or unintentionally changed. Without a deep copy, changes to reporting endpoints for one request can accidentally get shared with other requests or configs—basically, updates can “leak” in weird ways, especially in threaded environments. I only ran into this in an app that uses overrides, did you happen to test this out on an app that uses secure_headers overrides? |
All PRs:
Adding a new header (Reporting-Endpoints)
*Is the header supported by any user agent?
Yes - Chrome 116+, Edge 116+, Opera 102+ (via Reporting API)
What does it do?
Defines HTTP reporting endpoints for CSP violations and other security/performance reports using the HTTP Reporting API
What are the valid values?
Comma-separated pairs of [name="url"] where url must be HTTPS (e.g., csp-violations="https://example.com/reports")
Where does the specification live?
MDN Reporting-Endpoints and MDN report-to directive
Adding a new CSP directive (report-to)
Is the directive supported by any user agent?
Yes - Chrome 69+, Edge 79+, Firefox 110+, Safari 15.1+
What does it do?
Specifies a named reporting endpoint (defined via Reporting-Endpoints header) where CSP violations should be reported, replacing or complementing report-uri
What are the valid values?
A single string endpoint name (e.g., report-to csp-violations), must match a name defined in the Reporting-Endpoints header