blankie icon indicating copy to clipboard operation
blankie copied to clipboard
verified publisher icon nlf

feat: report-to

Open sericaia opened this issue 6 years ago • 4 comments

This is work in progress. report-to aims to replace report-uri in CSP 3 but it only has support in certain browsers (chrome and android > v70).

Basically what is missing from this PR is a rule in Joi that supports the desired behaviour and add it in schema.

So we want to have the following different rules:

  • use report-only only when report-uri is present (as we currently have): schema.with('reportOnly', 'reportUri');

  • same as before, but for report-to (when reportTo replaces reportUri): schema.with('reportOnly', 'reportTo');

  • we can also have both reportUri and reportTo and the browser will decide which one to use

Something like schema.with('reportOnly', ['reportUri', 'reportTo']); or using object.or schema.or(schema.with('reportOnly', 'reportUri'), schema.with('reportOnly', 'reportTo'))

I couldn't find a way to properly do it in Joi. @nlf do you know if it is possible in any way?

sericaia avatar Apr 02 '19 21:04 sericaia

There is also a dependency from report-to CSP property and Report-to header, but I don't think we can cover it in this module... (it is a bit different to what we have with content-security-policy-report-only header)

sericaia avatar Apr 02 '19 21:04 sericaia

so the issue here is that the reportOnly option requires one or both of reportUri and reportTo?

also re: the Report-To header, in my opinion if that header is used for CSP purposes we should probably support it..

nlf avatar Apr 24 '19 17:04 nlf

yes ;) is there any way I am not seeing to do it?

you mean supporting Report-to header in Blankie? isnt it a bit out of scope since it is not under CSP header?

sericaia avatar May 01 '19 11:05 sericaia

Is this repo no longer maintained?

maharjanraj avatar Nov 09 '23 06:11 maharjanraj