-
Notifications
You must be signed in to change notification settings - Fork 22.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FF130 CSP report-to directive #35331
Conversation
Preview URLs (14 pages)
Flaws (13)Note! 12 documents with no flaws that don't need to be listed. 🎉 URL:
URL:
External URLs (2)URL:
URL:
(comment last updated: 2024-08-23 07:52:42) |
This pull request has merge conflicts that must be resolved before it can be merged. |
de01987
to
4cd7610
Compare
files/en-us/web/http/headers/content-security-policy/report-to/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/http/headers/content-security-policy/report-uri/index.md
Outdated
Show resolved
Hide resolved
4cd7610
to
38b7405
Compare
> [!NOTE] | ||
> This interface is similar, but not identical to, the [JSON objects](/en-US/docs/Web/HTTP/CSP#violation_report_syntax) sent back to the [`report-uri`](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri) or [`report-to`](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to) policy directive of the {{HTTPHeader("Content-Security-Policy")}} header. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FYI, this may have been true at some point, but not any more. From testing I can see that the object is returned as the body of the report in the ReportObserver, or as a serialized JSON version in the body
property of the report.
So essentially one is an object and one is JSON, but the property names and content of stuff that is/can be serialized is the same. I have captured that.
The CSP docs will have to be updated because they still document the "similar" format for reports, where there are some casing differences in the property names.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was wrong, but so was this.
- The Reporting API, uses the CSP
report-to
directive - CSP reports are a slightly different format, and are sent when you specify the endpoint using
report-uri
files/en-us/web/http/headers/content-security-policy/report-uri/index.md
Show resolved
Hide resolved
26e163c
to
5bf744b
Compare
This is not "100%" finished, but the guts of it are - the remainder of the work that I know about can be done as a post process if this doesn't get reviewed in the next few days. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice work @hamishwillee. I've made several comments, but it is mostly language stuff. The intent behind the work makes a lot of sense, and it is a vast improvement.
files/en-us/web/http/headers/content-security-policy/report-to/index.md
Outdated
Show resolved
Hide resolved
Co-authored-by: Chris Mills <chrisdavidmills@gmail.com>
e2b5a7e
to
d107e73
Compare
@chrisdavidmills Thank you for that mammoth review. I accepted nearly everything, and fixed the specific open questions. Ready for another final look. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@hamishwillee I'm satisfied, you're satisfied, we're all satisfied!
And it's Friday. Let's get this merged.
Thanks @chrisdavidmills !!! |
FF130 supports the CPS
report-to
directive in https://bugzilla.mozilla.org/show_bug.cgi?id=1391243 behind a pref. It also supportsReport-To
(deprecated)Reporting-Endpoints
- replacesReport-To
It also supports lots of reporting API stuff too, which was not noted.
The summary of the status quo for CSP and reporting is:
Reporting-Endpoints
to define a set of named endpoint targets. You can then use areport-to
directive in "some" headers to select one of these endpoints for sending reports to.body
property and is a serialised version of a specific report itemCSPViolationReportBody
(thetype
is specific to the type of report)Report-To
which is deprecated - this is available on Chrome only and does similar job asReporting-Endpoints
.report-uri
that takes a URL target and sends a slightly different report JSON with a slightly different content mime type. This is what FF uses.The docs were quite mixed up so it was unclear how this worked. What I have done is pushed the documentation of the old reporting format into
report-url
directive. The new docs are mostly about the reporting API, though I do often mention the deprecated directive. I show sample reports in the new and old formats, but I point toCSPViolationReportBody
for definition of the properties rather than repeating everywhere.The docs are quite mixed up. Still seeking confirmations on some things in https://bugzilla.mozilla.org/show_bug.cgi?id=1391243#c11
Fortunately there is a bit of a guide in https://developer.chrome.com/docs/capabilities/web-apis/reporting-api
Related docs work can be tracked in #35279