flask-talisman
flask-talisman copied to clipboard
Add support for `report-to` as well as `report-uri`
report-to
is supposed to eventually replace the deprecated report-uri
, though at present it is only supported in Chromium browsers. For now adbice is to use both CSP options until support is more complete.
report-to
requires an addition Report-To
HTTP Header with a JSON object, which is then referred to in the CSP header.
Report-To: { "group": "csp-endpoint",
"max_age": 10886400,
"endpoints": [
{ "url": "https://example.com/csp-reports" }
] }
Content-Security-Policy: ...; report-to csp-endpoint
Ideally we'd be able seemlessly add this in if the content_security_policy_report_uri
was provided? But additionally, also allow explicit setting of the Report-To
header separately if the user so desires.