Feature proposal: Listen to and report `securitypolicyviolation` events

[backus]

All major browsers support the SecurityPolicyViolationEvent:

document.addEventListener("securitypolicyviolation", (e) => {
  console.log(e.blockedURI);
  console.log(e.violatedDirective);
  console.log(e.originalPolicy);
});

The apps I'm working on are very strict and security conscious. We serve all of our requests with a strict CSP and use the report-to/report-uri feature to track violations. This is sort of annoying though, since the service we use to track this is separate from our main bug tracker (Bugsnag) and other monitoring tools.

We'll probably add our own listener to this event and pipe it to Bugsnag as an info notification, but I think it would also make sense for Bugsnag to add direct support for this. Right now I think we only get partial, less high quality, reporting of this with Bugsnag via it hooking console.error or exception handling

[xljones]

Hey @backus, will put this to our product team for their consideration, thanks for raising! Like you say, in the meantime it's possible to add a listener and handle the error by calling Bugsnag.notify() with the information in the object that this event throws. Will keep you posted with any updates in this thread.

[Haraldson]

Is this making its way up the backlog? I’d also love seeing built-in CSP violation reporting support in Bugsnag.

[johnkiely1]

Hi @Haraldson,

This is still on our backlog, higher priority items have meant we have not yet got round to this. So unfortunately we don't yet have a good idea in terms of timeframes doing this work. We will update here as soon as we do.