From 1642cb4373699023f6bb6068a269fefda8fa060f Mon Sep 17 00:00:00 2001 From: Hamish Willee Date: Tue, 6 Aug 2024 16:29:16 +1000 Subject: [PATCH 01/13] FF130 CSP report-to directive --- .../headers/content-security-policy/index.md | 49 ++++++++----------- .../report-uri/index.md | 30 +++++------- 2 files changed, 32 insertions(+), 47 deletions(-) diff --git a/files/en-us/web/http/headers/content-security-policy/index.md b/files/en-us/web/http/headers/content-security-policy/index.md index 5633e8160d6dc98..32763af7a648211 100644 --- a/files/en-us/web/http/headers/content-security-policy/index.md +++ b/files/en-us/web/http/headers/content-security-policy/index.md @@ -128,34 +128,29 @@ for example. ### Reporting directives -Reporting directives control the reporting process of CSP violations. See also the -{{HTTPHeader("Content-Security-Policy-Report-Only")}} header. - -- {{CSP("report-uri")}} {{deprecated_inline}} - - - : Instructs the user agent to report attempts to violate the Content Security Policy. - These violation reports consist of {{Glossary("JSON")}} documents sent via an HTTP - `POST` request to the specified URI. - - > [!WARNING] - > Though the {{CSP("report-to")}} directive is intended - > to replace the deprecated **`report-uri`** directive, - > {{CSP("report-to")}} is not supported in most browsers yet. - > So for compatibility with current browsers - > while also adding forward compatibility when browsers get {{CSP("report-to")}} support, - > you can specify both **`report-uri`** and {{CSP("report-to")}}: - > - > ```http - > Content-Security-Policy: …; report-uri https://endpoint.example.com; report-to groupname - > ``` - > - > In browsers that support {{CSP("report-to")}}, - > the **`report-uri`** directive will be ignored. +Reporting directives control the destination URL for CSP violation reports. +These violation reports consist of {{Glossary("JSON")}} documents sent via an HTTP `POST` request to the specified URI. + +> [!WARNING] +> The {{CSP("report-to")}} directive is intended to replace `report-uri`, and in browsers that support `report-to`, the `report-uri` directive is ignored. +> +> However until `report-to` is broadly supported you should specify both headers as shown: +> +> ```http +> Content-Security-Policy: …; report-uri https://endpoint.example.com; report-to groupname +> ``` - {{CSP("report-to")}} + - : Provides the browser with a token identifying the reporting endpoint or group of endpoints for sending CSP violation information. The endpoints that the token represents may be provided through other HTTP headers, such as {{HTTPHeader("Reporting-Endpoints")}}. +- {{CSP("report-uri")}} {{deprecated_inline}} + + - : Provides the browser with a the URL where CSP violation reports should be sent. + +See also the {{HTTPHeader("Content-Security-Policy-Report-Only")}} header. + ### Other directives - {{CSP("require-trusted-types-for")}} {{experimental_inline}} @@ -274,18 +269,16 @@ Content-Security-Policy: default-src https: ``` -Example: Pre-existing site that uses too much inline code to fix but wants to ensure -resources are loaded only over HTTPS and to disable plugins: +Example: Pre-existing site that uses too much inline code to fix but wants to ensure resources are loaded only over HTTPS and to disable plugins: ```http Content-Security-Policy: default-src https: 'unsafe-eval' 'unsafe-inline'; object-src 'none' ``` -Example: Do not implement the above policy yet; instead just report violations that -would have occurred: +Example: Do not implement the above policy yet; instead just report violations that would have occurred: ```http -Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-endpoint/ +Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-endpoint/; report-to groupname ``` See [Content Security Policy (CSP) implementation](/en-US/docs/Web/Security/Practical_implementation_guides/CSP) for more examples. diff --git a/files/en-us/web/http/headers/content-security-policy/report-uri/index.md b/files/en-us/web/http/headers/content-security-policy/report-uri/index.md index 09c6b8882ec55bb..778fe03e8452e92 100644 --- a/files/en-us/web/http/headers/content-security-policy/report-uri/index.md +++ b/files/en-us/web/http/headers/content-security-policy/report-uri/index.md @@ -9,23 +9,19 @@ browser-compat: http.headers.Content-Security-Policy.report-uri {{HTTPSidebar}}{{deprecated_header}} -The deprecated HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) -**`report-uri`** directive instructs the user agent to report -attempts to violate the Content Security Policy. These violation reports consist of JSON -documents sent via an HTTP POST request to the specified URI. - > [!WARNING] -> Though the {{CSP("report-to")}} directive is intended to replace the deprecated **`report-uri`** directive, {{CSP("report-to")}} is not yet supported in all browsers. -> For compatibility, you can specify both **`report-uri`** and {{CSP("report-to")}}: +> The {{CSP("report-to")}} directive is intended to replace `report-uri`, and in browser that support `report-to`, the `report-uri` directive is ignored. +> +> However until `report-to` is broadly supported you should specify both headers as shown: > > ```http -> Content-Security-Policy: …; report-uri https://example.com/endpoint; report-to csp-endpoint +> Content-Security-Policy: …; report-uri https://endpoint.example.com; report-to groupname > ``` -> -> In browsers that support {{CSP("report-to")}}, the **`report-uri`** directive is ignored. -The directive has no effect in and of itself, but only gains meaning in combination -with other directives. +The deprecated HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) **`report-uri`** directive instructs the user agent to report attempts to violate the Content Security Policy. +These violation reports consist of JSON documents sent via an HTTP POST request to the specified URI. + +The directive has no effect in and of itself, but only gains meaning in combination with other directives. @@ -39,8 +35,7 @@ with other directives. @@ -58,16 +53,13 @@ Content-Security-Policy: report-uri ; ## Examples -See {{HTTPHeader("Content-Security-Policy-Report-Only")}} for more information and -examples. +See {{HTTPHeader("Content-Security-Policy-Report-Only")}} for more information and examples. ```http Content-Security-Policy: default-src https:; report-uri /csp-violation-report-endpoint/ ``` -`/csp-violation-report-endpoint/` could for example run a PHP something like -the following that logs the JSON detailing the violation and, if the violation is the -first one added to the log file, sends an email to an administrator: +`/csp-violation-report-endpoint/` could for example run a PHP something like the following that logs the JSON detailing the violation and, if the violation is the first one added to the log file, sends an email to an administrator: ```php Date: Mon, 12 Aug 2024 16:47:13 +1000 Subject: [PATCH 02/13] Add Report-To header --- files/en-us/web/http/headers/index.md | 6 +- .../en-us/web/http/headers/report-to/index.md | 122 ++++++++++++++++++ 2 files changed, 126 insertions(+), 2 deletions(-) create mode 100644 files/en-us/web/http/headers/report-to/index.md diff --git a/files/en-us/web/http/headers/index.md b/files/en-us/web/http/headers/index.md index 862d035a478cd3e..4fd8a5c7eaa0e04 100644 --- a/files/en-us/web/http/headers/index.md +++ b/files/en-us/web/http/headers/index.md @@ -276,8 +276,10 @@ The following request headers are not _strictly_ "fetch metadata request headers ## Server-sent events -- {{HTTPHeader("Report-To")}} - - : Used to specify a server endpoint for the browser to send warning and error reports to. +- {{HTTPHeader("Reporting-Endpoints")}} + - : Response header used to specify server endpoints where the browser should send warning and error reports when using the [Reporting API)](/en-US/docs/Web/API/Reporting_API). +- {{HTTPHeader("Report-To")}} {{deprecated_inline}} {{non-standard_inline}} + - : Response header used to specify server endpoints where the browser should send warning and error reports when using the [Reporting API)](/en-US/docs/Web/API/Reporting_API). ## Transfer coding diff --git a/files/en-us/web/http/headers/report-to/index.md b/files/en-us/web/http/headers/report-to/index.md new file mode 100644 index 000000000000000..c69b4cfb15f1162 --- /dev/null +++ b/files/en-us/web/http/headers/report-to/index.md @@ -0,0 +1,122 @@ +--- +title: Report-To +slug: Web/HTTP/Headers/Report-To +page-type: http-header +browser-compat: http.headers.Report-To +--- + +{{HTTPSidebar}} + +> [!WARNING] +> This header has been replaced by the {{HTTPHeader("Reporting-Endpoints")}} HTTP response header. +> It is a deprecated part of an earlier iteration of the Reporting API specification. + +The HTTP **`Report-To`** {{glossary("response header")}} allows website administrators to define named groups of endpoints, that can then be used as the destination for warning and error reports, such as those used as the target for CSP violation reports, {{HTTPHeader("Cross-Origin-Opener-Policy")}} reports, deprecation reports, or other generic violations. + +`Report-To` is often used in conjunction with other headers that select a particular group of endpoints to use for particular kind of report. +For example, the {{HTTPHeader("Content-Security-Policy")}} header {{CSP("report-to")}} directive can be used to select the group used for reporting CSP violations. + +
- This directive is not supported in the {{HTMLElement("meta")}} - element. + This directive is not supported in the {{HTMLElement("meta")}} element.
+ + + + + + + + + + + + + + +
Header type{{Glossary("Response header")}}
{{Glossary("Forbidden header name")}}no
+ {{Glossary("CORS-safelisted response header")}} + no
+ +## Syntax + +```http +Report-To: +``` + +- \ + + - : One or more endpoint-group definitions, defined as a JSON array that omits the surrounding `[` and `]` markers. + Each object in the array has the following properties: + + - `group` + - : A name for the group of endpoints. + - `max_age` + - : The time in seconds that the browser should cache the reporting configuration. + - `endpoints` + - : An array of one or more URLs where the reports in the group should be sent. + +## Examples + +### Setting a CSP violation report endpoint + +This example shows how a server might use `Report-To` to define a group of endpoints, and then set the group as the location where CSP violation reports are sent. + +First a server might send a response with the `Report-To` HTTP response header as shown below. +This specifies a group of `url` endpoints identified by the group name `csp-endpoints`. + +```http +Report-To: { "group": "csp-endpoints", + "max_age": 10886400, + "endpoints": [ + { "url": "https://example.com/reports" }, + { "url": "https://backup.com/reports" } + ] } +``` + +The server can then set that it wants this group to be the target for sending CSP violation reports by specifying the group name as the value of the {{CSP("report-to")}} directive: + +```http +Content-Security-Policy: script-src https://example.com/; report-to csp-endpoints +``` + +Given the headers above, any `script-src` CSP violations would result in violation reports being sent to both of the `url` values listed in `Report-To`. + +### Specifying multiple reporting groups + +The example below demonstates a `Report-To` header that specifies multiple endpoint groups. +Note that each group has a unique name, and that the groups are not bounded by the array markers. + +```http +Report-To: { "group": "csp-endpoint-1", + "max_age": 10886400, + "endpoints": [ + { "url": "https://example.com/csp-reports" } + ] }, + { "group": "hpkp-endpoint", + "max_age": 10886400, + "endpoints": [ + { "url": "https://example.com/hpkp-reports" } + ] } +``` + +We can select an endpoint group as the target for violation reports by name, in the same way as we did in the previous example: + +```http +Content-Security-Policy: script-src https://example.com/; report-to csp-endpoint-1 +``` + +## Specifications + +This header is no longer part of any specification. +It was previously part of the [Reporting API](/en-US/docs/Web/API/Reporting_API). + +## Browser compatibility + +{{Compat}} + +## See also + +- {{HTTPHeader("Reporting-Endpoints")}} +- [Reporting API](/en-US/docs/Web/API/Reporting_API) +- {{HTTPHeader("Content-Security-Policy")}} +- {{CSP("report-to")}} directive +- {{HTTPHeader("Content-Security-Policy-Report-Only")}} +- [Content Security Policy (CSP)](/en-US/docs/Web/HTTP/CSP#enabling_reporting) guide From 317a86f16900123e1d3bfcfef596a8db4ad0d73c Mon Sep 17 00:00:00 2001 From: Hamish Willee Date: Mon, 12 Aug 2024 18:18:46 +1000 Subject: [PATCH 03/13] CSP: report-to --- .../report-to/index.md | 57 +++++++------------ 1 file changed, 20 insertions(+), 37 deletions(-) diff --git a/files/en-us/web/http/headers/content-security-policy/report-to/index.md b/files/en-us/web/http/headers/content-security-policy/report-to/index.md index 601e2900963c975..07125e089b12aa2 100644 --- a/files/en-us/web/http/headers/content-security-policy/report-to/index.md +++ b/files/en-us/web/http/headers/content-security-policy/report-to/index.md @@ -7,16 +7,11 @@ browser-compat: http.headers.Content-Security-Policy.report-to {{HTTPSidebar}} -The `Content-Security-Policy` -**`Report-To`** HTTP response header field -instructs the user agent to store reporting endpoints for an origin. +The `Content-Security-Policy` **`report-to`** directive indicates the name of the endpoint that the browser should use for reporting CSP violations. -```http -Content-Security-Policy: …; report-to groupname -``` +If a CSP violation occurs, a report is generated that contains a serialized version of {{domxref("CSPViolationReportBody")}}, and this is sent to the URL that corresponds with the endpoint name using the generic mechanisms defined in the [Reporting API)](/en-US/docs/Web/API/Reporting_API). -The directive has no effect in and of itself, but only gains meaning in combination -with other directives. +The server must separately provide the mapping between endpoint names and their corresponding URLs in the {{HTTPHeader("Reporting-Endpoints")}} HTTP response header. @@ -30,8 +25,7 @@ with other directives. @@ -40,45 +34,33 @@ with other directives. ## Syntax ```http -Content-Security-Policy: report-to ; +Content-Security-Policy: …; report-to ``` +`` is the name of an endpoint provided by the {{HTTPHeader("Reporting-Endpoints")}} HTTP response header. + +> [!NOTE] +> The `` can also be the name of an group provided in the {{HTTPHeader("Report-To")}} {{deprecated_inline}} HTTP response header, but this is deprecated and should not be used. + ## Examples -See {{HTTPHeader("Content-Security-Policy-Report-Only")}} for more information and -examples. +### Setting a CSP violation report endpoint -```http -Report-To: { "group": "csp-endpoint", - "max_age": 10886400, - "endpoints": [ - { "url": "https://example.com/csp-reports" } - ] }, - { "group": "hpkp-endpoint", - "max_age": 10886400, - "endpoints": [ - { "url": "https://example.com/hpkp-reports" } - ] } -Content-Security-Policy: …; report-to csp-endpoint -``` +A server might first define the endpoint name and URL using the {{HTTPHeader("Reporting-Endpoints")}} header in the response for the resource. +Any name can be used: here we've chosen "name-of-endpoint". ```http -Report-To: { "group": "endpoint-1", - "max_age": 10886400, - "endpoints": [ - { "url": "https://example.com/reports" }, - { "url": "https://backup.com/reports" } - ] } - -Content-Security-Policy: …; report-to endpoint-1 +Reporting-Endpoints: name-of-endpoint="https://example.com/csp-reports" ``` -```http -Reporting-Endpoints: endpoint-1="https://example.com/reports" +The server can then set this endpoint as the target for sending CSP violation reports using the `report-to` directive as shown. -Content-Security-Policy: …; report-to endpoint-1 +```http +Content-Security-Policy: default-src 'self'; report-to name-of-endpoint ``` + + ## Specifications {{Specifications}} @@ -89,5 +71,6 @@ Content-Security-Policy: …; report-to endpoint-1 ## See also +- {{HTTPHeader("Reporting-Endpoints")}} - {{HTTPHeader("Content-Security-Policy")}} - {{HTTPHeader("Content-Security-Policy-Report-Only")}} From 229c7303fe7181259c04bc5e010d8baae685630f Mon Sep 17 00:00:00 2001 From: Hamish Willee Date: Mon, 19 Aug 2024 18:37:38 +1000 Subject: [PATCH 04/13] CSPViolationReportBody - expand on how it works --- .../web/api/cspviolationreportbody/index.md | 89 +++++++++++++++++-- .../report-to/index.md | 23 +++-- .../report-uri/index.md | 6 +- 3 files changed, 102 insertions(+), 16 deletions(-) diff --git a/files/en-us/web/api/cspviolationreportbody/index.md b/files/en-us/web/api/cspviolationreportbody/index.md index 3a24db6a30e0578..c8ef2da2fa650a9 100644 --- a/files/en-us/web/api/cspviolationreportbody/index.md +++ b/files/en-us/web/api/cspviolationreportbody/index.md @@ -5,12 +5,15 @@ page-type: web-api-interface browser-compat: api.CSPViolationReportBody --- -{{APIRef("Reporting API")}}{{SecureContext_Header}} +{{APIRef("Reporting API")}} {{SecureContext_Header}} -The `CSPViolationReportBody` interface contains the report data for a Content Security Policy (CSP) violation. CSP violations are thrown when the webpage attempts to load a resource that violates the CSP set by the {{HTTPHeader("Content-Security-Policy")}} HTTP header. +The `CSPViolationReportBody` interface is an extension of the [Reporting API](/en-US/docs/Web/API/Reporting_API) that represents the body of a Content Security Policy (CSP) violation report. -> [!NOTE] -> This interface is similar, but not identical to, the [JSON objects](/en-US/docs/Web/HTTP/CSP#violation_report_syntax) sent back to the [`report-uri`](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri) or [`report-to`](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to) policy directive of the {{HTTPHeader("Content-Security-Policy")}} header. +CSP violations are thrown when the webpage attempts to load a resource that violates the CSP set by the {{HTTPHeader("Content-Security-Policy")}} HTTP header. + +An object of this type is returned in the `body` property of each of the [reports](/en-US/docs/Web/API/ReportingObserver/ReportingObserver#reports) returned in the {{domxref("ReportingObserver")}} callback that have a `type` of `"csp-violation"`. + +A JSON serialization of this object is included in the `body` property of the JSON report object send to the endpoint specified in the [`report-to`](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to) policy directive of the {{HTTPHeader("Content-Security-Policy")}} header. {{InheritanceDiagram}} @@ -52,7 +55,8 @@ _Also inherits methods from its parent interface, {{DOMxRef("ReportBody")}}._ ### Obtaining a `CSPViolationReportBody` object -To obtain a `CSPViolationReportBody` object, you must configure your page so that a CSP violation will occur. In this example, we will set our CSP to only allow content from the site's own origin, and then attempt to load a script from `apis.google.com`, which is an external origin. +To obtain a `CSPViolationReportBody` object, you must configure your page so that a CSP violation will occur. +In this example, we will set our CSP to only allow content from the site's own origin, and then attempt to load a script from `apis.google.com`, which is an external origin. First, we will set our {{HTTPHeader("Content-Security-Policy")}} header: @@ -67,12 +71,12 @@ Then, we will attempt to load an external script: ``` -Finally, we will create a new {{domxref("ReportingObserver")}} object to listen for CSP violations. +Finally, we will create a new {{domxref("ReportingObserver")}} object to listen for CSP violations (this will need to be loaded from the same location, before the script that causes the violation). ```js const observer = new ReportingObserver( (reports, observer) => { - const cspViolation = reports[0].body; + const cspViolation = reports[0]; }, { types: ["csp-violation"], @@ -83,6 +87,77 @@ const observer = new ReportingObserver( observer.observe(); ``` +If we were to log the violation report object, it might look similar to the object below. +Note that the `body` is an instance of the `CSPViolationReportBody` and the `type` is `"csp-violation"`. + +```js +{ + "type": "csp-violation", + "url": "http://127.0.0.1:9999/", + "body": { + "sourceFile": null, + "lineNumber": null, + "columnNumber": null, + "documentURL": "http://127.0.0.1:9999/", + "referrer": "", + "blockedURL": "https://apis.google.com/js/platform.js", + "effectiveDirective": "script-src-elem", + "originalPolicy": "default-src 'self';", + "sample": "", + "disposition": "enforce", + "statusCode": 200 + } +} +``` + +### Sending a CSP violation report + +Configuring a web page to send a CSP violation report is similar to the previous example. +As before, you need to configure your page so that there is a violation. + +In addition, you also need to specify the endpoints where the report will be sent. +We specify endpoints using the {{httpheader("Reporting-Endpoints")}} response header: these must be secure URLs (HTTPS). +The CSP {{CSP("report-to")}} directive is then used to specify that the particular endpoint is used for reporting CPS violations: + +```http +Reporting-Endpoints: csp-endpoint="https://example.com/csp-report-to" +Content-Security-Policy: default-src 'self'; report-to csp-endpoint +``` + +As before, we can trigger the violation loading by loading an external script from a location that is not covered by our CSP header: + +```html + + +``` + +The violation report will then be sent to the indicated endpoint as a JSON file. +As you see from the example below, the `type` is `"csp-violation"` and the `body` property is a serialization of the `CSPViolationReportBody` object: + +```json +[ + { + "age": 53531, + "body": { + "blockedURL": "inline", + "columnNumber": 59, + "disposition": "enforce", + "documentURL": "https://example.com/csp-report-to", + "effectiveDirective": "script-src-elem", + "lineNumber": 1441, + "originalPolicy": "default-src 'self'; report-to csp-endpoint", + "referrer": "https://www.google.com/", + "sample": "console.log(\"lo\")", + "sourceFile": "https://example.com/csp-report-to", + "statusCode": 200 + }, + "type": "csp-violation", + "url": "https://example.com/csp-report-to", + "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36" + } +] +``` + ## Specifications {{Specifications}} diff --git a/files/en-us/web/http/headers/content-security-policy/report-to/index.md b/files/en-us/web/http/headers/content-security-policy/report-to/index.md index 07125e089b12aa2..2045e644fad35e5 100644 --- a/files/en-us/web/http/headers/content-security-policy/report-to/index.md +++ b/files/en-us/web/http/headers/content-security-policy/report-to/index.md @@ -9,7 +9,8 @@ browser-compat: http.headers.Content-Security-Policy.report-to The `Content-Security-Policy` **`report-to`** directive indicates the name of the endpoint that the browser should use for reporting CSP violations. -If a CSP violation occurs, a report is generated that contains a serialized version of {{domxref("CSPViolationReportBody")}}, and this is sent to the URL that corresponds with the endpoint name using the generic mechanisms defined in the [Reporting API)](/en-US/docs/Web/API/Reporting_API). +If a CSP violation occurs, a report is generated that contains a serialized version of {{domxref("CSPViolationReportBody")}}. +This report is sent to the URL that corresponds to the endpoint name, using the generic mechanisms defined in the [Reporting API](/en-US/docs/Web/API/Reporting_API). The server must separately provide the mapping between endpoint names and their corresponding URLs in the {{HTTPHeader("Reporting-Endpoints")}} HTTP response header. @@ -39,27 +40,37 @@ Content-Security-Policy: …; report-to `` is the name of an endpoint provided by the {{HTTPHeader("Reporting-Endpoints")}} HTTP response header. -> [!NOTE] -> The `` can also be the name of an group provided in the {{HTTPHeader("Report-To")}} {{deprecated_inline}} HTTP response header, but this is deprecated and should not be used. +It can also be the name of a group provided in the {{HTTPHeader("Report-To")}} {{deprecated_inline}} HTTP response header, but this header is deprecated and should not be used. + +## Usage notes + +The `report-to` directive is intended to replace `report-uri`, and browsers that support `report-to` ignore the `report-uri` directive. +However, until `report-to` is broadly supported you can specify both headers as shown: + +```http +Content-Security-Policy: …; report-uri https://endpoint.example.com; report-to endpoint_name +``` + +Note that other examples in this topic do not show `report-uri`. ## Examples ### Setting a CSP violation report endpoint -A server might first define the endpoint name and URL using the {{HTTPHeader("Reporting-Endpoints")}} header in the response for the resource. +A server can define the mapping between endpoint names and URLs using the {{HTTPHeader("Reporting-Endpoints")}} header in the HTTP response. Any name can be used: here we've chosen "name-of-endpoint". ```http Reporting-Endpoints: name-of-endpoint="https://example.com/csp-reports" ``` -The server can then set this endpoint as the target for sending CSP violation reports using the `report-to` directive as shown. +The server can set this an endpoint name as the target for sending CSP violation reports using the `report-to` directive as shown. ```http Content-Security-Policy: default-src 'self'; report-to name-of-endpoint ``` - + ## Specifications diff --git a/files/en-us/web/http/headers/content-security-policy/report-uri/index.md b/files/en-us/web/http/headers/content-security-policy/report-uri/index.md index 778fe03e8452e92..e7a6447f8fe5321 100644 --- a/files/en-us/web/http/headers/content-security-policy/report-uri/index.md +++ b/files/en-us/web/http/headers/content-security-policy/report-uri/index.md @@ -10,12 +10,12 @@ browser-compat: http.headers.Content-Security-Policy.report-uri {{HTTPSidebar}}{{deprecated_header}} > [!WARNING] -> The {{CSP("report-to")}} directive is intended to replace `report-uri`, and in browser that support `report-to`, the `report-uri` directive is ignored. +> The {{CSP("report-to")}} directive is intended to replace `report-uri`, and in browsers that support `report-to`, the `report-uri` directive is ignored. > -> However until `report-to` is broadly supported you should specify both headers as shown: +> However until `report-to` is broadly supported you can specify both headers as shown: > > ```http -> Content-Security-Policy: …; report-uri https://endpoint.example.com; report-to groupname +> Content-Security-Policy: …; report-uri https://endpoint.example.com; report-to endpoint_name > ``` The deprecated HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) **`report-uri`** directive instructs the user agent to report attempts to violate the Content Security Policy. From 5fdf63e064cad0a7b099fd3782baafe530bcd8a4 Mon Sep 17 00:00:00 2001 From: Hamish Willee Date: Mon, 19 Aug 2024 18:55:08 +1000 Subject: [PATCH 05/13] Add the HTTP headers to the list of related things in interface --- .../web/api/cspviolationreportbody/index.md | 2 +- files/en-us/web/api/reporting_api/index.md | 21 +++++++++++++++++++ 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/files/en-us/web/api/cspviolationreportbody/index.md b/files/en-us/web/api/cspviolationreportbody/index.md index c8ef2da2fa650a9..d3906447f316fcf 100644 --- a/files/en-us/web/api/cspviolationreportbody/index.md +++ b/files/en-us/web/api/cspviolationreportbody/index.md @@ -116,7 +116,7 @@ Configuring a web page to send a CSP violation report is similar to the previous As before, you need to configure your page so that there is a violation. In addition, you also need to specify the endpoints where the report will be sent. -We specify endpoints using the {{httpheader("Reporting-Endpoints")}} response header: these must be secure URLs (HTTPS). +A server specifies endpoints using the {{httpheader("Reporting-Endpoints")}} response header: these must be secure URLs (HTTPS). The CSP {{CSP("report-to")}} directive is then used to specify that the particular endpoint is used for reporting CPS violations: ```http diff --git a/files/en-us/web/api/reporting_api/index.md b/files/en-us/web/api/reporting_api/index.md index 1088cefe85226e7..bba856795ff4c7f 100644 --- a/files/en-us/web/api/reporting_api/index.md +++ b/files/en-us/web/api/reporting_api/index.md @@ -71,6 +71,27 @@ These interfaces are defined as part of the HTTP [Content Security Policy (CSP)] - {{domxref("SecurityPolicyViolationEvent")}} - : Represents the event object of a `securitypolicyviolation` event fired on an element, document, or worker when its CSP is violated. +## Related HTTP Headers + +These HTTP response headers define the endpoints where reports are sent. + +- {{HTTPHeader("Reporting-Endpoints")}} + - : Set the name and URL of reporting endpoints, which can then be used in the `report-to` directive of the `Content-Security-Header` HTTP header. +- {{HTTPHeader("Report-To")}} + - : Set the name and URL of reporting endpoint groups, which can then be used in the `report-to` directive of the `Content-Security-Header` HTTP header. +- {{HTTPHeader("Content-Security-Policy")}} + + - : The following headers can be used to set the reporting endpoint where reports are sent by the user agent: + + - {{CSP("report-to")}} + + - : Provides the browser with a token identifying the reporting endpoint or group of endpoints for sending CSP violation information. + The endpoints that the token represents may be provided through other HTTP headers, such as {{HTTPHeader("Reporting-Endpoints")}}. + + - {{CSP("report-uri")}} {{deprecated_inline}} + + - : Provides the browser with a the URL where CSP violation reports should be sent. + ## Examples In our [deprecation_report.html](https://mdn.github.io/dom-examples/reporting-api/deprecation_report.html) example, we create a simple reporting observer to observe usage of deprecated features on our web page: From 24c069ac94acc1e204e3fbe99c4cbad0cae63c62 Mon Sep 17 00:00:00 2001 From: Hamish Willee Date: Tue, 20 Aug 2024 15:51:17 +1000 Subject: [PATCH 06/13] Numerous changes to change focus to Reporting API --- .../mozilla/firefox/releases/108/index.md | 2 +- .../web/api/cspviolationreportbody/index.md | 12 +- files/en-us/web/api/report/index.md | 3 +- files/en-us/web/api/reporting_api/index.md | 11 +- files/en-us/web/http/csp/index.md | 119 ++++-------- .../index.md | 98 +++------- .../headers/content-security-policy/index.md | 33 +++- .../report-to/index.md | 33 +++- .../report-uri/index.md | 182 ++++++++++++++---- .../en-us/web/http/headers/report-to/index.md | 4 +- .../http/headers/reporting-endpoints/index.md | 13 +- .../csp/index.md | 18 +- 12 files changed, 297 insertions(+), 231 deletions(-) diff --git a/files/en-us/mozilla/firefox/releases/108/index.md b/files/en-us/mozilla/firefox/releases/108/index.md index 37e3be6fe6479d5..cf3f0fc7aec24b7 100644 --- a/files/en-us/mozilla/firefox/releases/108/index.md +++ b/files/en-us/mozilla/firefox/releases/108/index.md @@ -36,7 +36,7 @@ No notable changes - [`Content-Security-Policy`](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) HTTP header directives [`script-src-elem`](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src-elem) and [`script-src-attr`](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src-attr) are now supported. A server can use these to specify valid sources for JavaScript `
- This directive is not supported in the {{HTMLElement("meta")}} - element. + This directive is not supported in the {{HTMLElement("meta")}} element.