github
Kyfast/report to directive
All PRs:
- [x] Has tests
- [ ] Documentation updated
Adding a new header (Reporting-Endpoints)
*Is the header supported by any user agent? Yes - Chrome 116+, Edge 116+, Opera 102+ (via Reporting API)
What does it do? Defines HTTP reporting endpoints for CSP violations and other security/performance reports using the HTTP Reporting API
What are the valid values? Comma-separated pairs of [name="url"] where url must be HTTPS (e.g., csp-violations="https://example.com/reports")
Where does the specification live? MDN Reporting-Endpoints and MDN report-to directive
Adding a new CSP directive (report-to)
Is the directive supported by any user agent? Yes - Chrome 69+, Edge 79+, Firefox 110+, Safari 15.1+
What does it do? Specifies a named reporting endpoint (defined via Reporting-Endpoints header) where CSP violations should be reported, replacing or complementing report-uri
What are the valid values? A single string endpoint name (e.g., report-to csp-violations), must match a name defined in the Reporting-Endpoints header
This PR implements the same feature as #556 It suffers from failing tests due to rubocop, which are independent of this PR. I opened #558 to fix this
Hi @tmaier thanks for your interest in secure_headers. I'm a maintainer and I've been testing all of the open PRs manually for compatibility. When I was testing #556 I noticed that implementation doesn’t deep copy reporting_endpoints in the dup method, unlike this implementation. I found that the reporting-endpoints header wasn’t always preserved on pages where overrides were used. When the config is overridden, the reporting endpoints might get dropped or unintentionally changed. Without a deep copy, changes to reporting endpoints for one request can accidentally get shared with other requests or configs—basically, updates can “leak” in weird ways, especially in threaded environments.
I only ran into this in an app that uses overrides, did you happen to test this out on an app that uses secure_headers overrides?