FF130 CSP report-to directive

[hamishwillee]

FF130 supports the CPS report-to directive in https://bugzilla.mozilla.org/show_bug.cgi?id=1391243 behind a pref. It also supports

• Report-To (deprecated)
• Reporting-Endpoints - replaces Report-To
• CSPViolationReportBody.

It also supports lots of reporting API stuff too, which was not noted.

The summary of the status quo for CSP and reporting is:

• CSP reports are now supposed to be sent using the Reporting API according to the spec, and FF now supports that API behind a pref. Safari and Chrome already do this.
• The reporting API uses Reporting-Endpoints to define a set of named endpoint targets. You can then use a report-to directive in "some" headers to select one of these endpoints for sending reports to.
  • The header you use depends on the type you want to report. For CSP that's the CSP or CSP reporting header.
  • The reports are then serialised as JSON and POST to the endpoint. The data that is sent is in a body property and is a serialised version of a specific report item CSPViolationReportBody (the type is specific to the type of report)
  • There is a header Report-To which is deprecated - this is available on Chrome only and does similar job as Reporting-Endpoints.
• There is a deprecated directive for CSP report-uri that takes a URL target and sends a slightly different report JSON with a slightly different content mime type. This is what FF uses.
• Right now you're supposed to use both because FF doesn't support the new form yet.

The docs were quite mixed up so it was unclear how this worked. What I have done is pushed the documentation of the old reporting format into report-url directive. The new docs are mostly about the reporting API, though I do often mention the deprecated directive. I show sample reports in the new and old formats, but I point to CSPViolationReportBody for definition of the properties rather than repeating everywhere.

The docs are quite mixed up. Still seeking confirmations on some things in https://bugzilla.mozilla.org/show_bug.cgi?id=1391243#c11
Fortunately there is a bit of a guide in https://developer.chrome.com/docs/capabilities/web-apis/reporting-api

• Link https://developer.chrome.com/docs/capabilities/web-apis/reporting-api in docs

Related docs work can be tracked in #35279

[github-actions]

Preview URLs (14 pages)

• /en-US/docs/Mozilla/Firefox/Releases/108
• /en-US/docs/Web/API/CSPViolationReportBody
• /en-US/docs/Web/API/Report
• /en-US/docs/Web/API/Reporting_API
• /en-US/docs/Web/API/SecurityPolicyViolationEvent/sample
• /en-US/docs/Web/HTTP/CSP
• /en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
• /en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to
• /en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri
• /en-US/docs/Web/HTTP/Headers/Content-Security-Policy
• /en-US/docs/Web/HTTP/Headers/Report-To
• /en-US/docs/Web/HTTP/Headers/Reporting-Endpoints
• /en-US/docs/Web/HTTP/Headers
• /en-US/docs/Web/Security/Practical_implementation_guides/CSP

Flaws (13)

Note! 12 documents with no flaws that don't need to be listed. 🎉

URL: /en-US/docs/Web/API/CSPViolationReportBody
Title: CSPViolationReportBody
Flaw count: 12

• macros:
  • /en-US/docs/Web/API/CSPViolationReportBody/blockedURL does not exist
  • /en-US/docs/Web/API/CSPViolationReportBody/columnNumber does not exist
  • /en-US/docs/Web/API/CSPViolationReportBody/disposition does not exist
  • /en-US/docs/Web/API/CSPViolationReportBody/documentURL does not exist
  • /en-US/docs/Web/API/CSPViolationReportBody/effectiveDirective does not exist
  • and 7 more flaws omitted

---

URL: /en-US/docs/Web/HTTP/Headers/Reporting-Endpoints
Title: Reporting-Endpoints
Flaw count: 1

• bad_bcd_queries:
  • No BCD data for query: http.headers.Reporting-Endpoints

External URLs (2)

URL: /en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri
Title: CSP: report-uri

• https://www.w3.org/TR/CSP/ (1 time) (Note! This may be a new URL 👀)

---

URL: /en-US/docs/Mozilla/Firefox/Releases/108
Title: Firefox 108 for developers

• https://bugzil.la/1192684 (1 time) (Note! This may be a new URL 👀)

(comment last updated: 2024-08-23 07:52:42)

[github-actions]

This pull request has merge conflicts that must be resolved before it can be merged.

[hamishwillee]

FYI, this may have been true at some point, but not any more. From testing I can see that the object is returned as the body of the report in the ReportObserver, or as a serialized JSON version in the body property of the report.

So essentially one is an object and one is JSON, but the property names and content of stuff that is/can be serialized is the same. I have captured that.

The CSP docs will have to be updated because they still document the "similar" format for reports, where there are some casing differences in the property names.

[hamishwillee]

I was wrong, but so was this.

• The Reporting API, uses the CSP report-to directive
• CSP reports are a slightly different format, and are sent when you specify the endpoint using report-uri

[hamishwillee]

This is not "100%" finished, but the guts of it are - the remainder of the work that I know about can be done as a post process if this doesn't get reviewed in the next few days.
That work, specifically, is adding missing property docs for things like CSPViolationReportBody.

[chrisdavidmills]

Nice work @hamishwillee. I've made several comments, but it is mostly language stuff. The intent behind the work makes a lot of sense, and it is a vast improvement.

[hamishwillee]

@chrisdavidmills Thank you for that mammoth review.

I accepted nearly everything, and fixed the specific open questions. Ready for another final look.

[chrisdavidmills]

@hamishwillee I'm satisfied, you're satisfied, we're all satisfied!

And it's Friday. Let's get this merged.

[hamishwillee]

Thanks @chrisdavidmills !!!