Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Content-Security-Policy-Report-Only #8091

Open
tomlawesome opened this issue Apr 23, 2021 · 2 comments · May be fixed by #10709
Open

Content-Security-Policy-Report-Only #8091

tomlawesome opened this issue Apr 23, 2021 · 2 comments · May be fixed by #10709
Labels
area/middleware kind/enhancement a new or improved feature.
Projects
v2

Comments

@tomlawesome
Copy link

tomlawesome commented Apr 23, 2021
edited

Feature request

Add support for Content-Security-Policy-Report-Only. We can use the standard CSP header with 'contentSecurityPolicy' but it would be nice to be able to instead use it in Report-Only mode. This would help many users to develop their CSP using web-tools before deploying it into their 'production' or (in my case as a home user) homelabs.

What did you expect to see?

contentSecurityPolicyReportOnly in available header middlewares.

Reference

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
@jbdoumenjou jbdoumenjou added area/middleware kind/proposal a proposal that needs to be discussed. and removed status/0-needs-triage labels Apr 23, 2021
@jbdoumenjou jbdoumenjou added this to issues in v2 via automation Apr 23, 2021
@bachya
Copy link

bachya commented Feb 15, 2022

While we wait for this, note that you can use a custom response header:

customResponseHeaders:
  Content-Security-Policy-Report-Only: >-
    connect-src self;
    default-src none;
    font-src self;
    img-src self;
    script-src self;
    style-src self inline-unsafe;

@rit001
Copy link

rit001 commented Nov 20, 2023

I think it is time to give this request a bump

While it should be possible to use a customResponseHeader to express this, it causes issues when trying to express a configuration as 'infrastructure as code'.

It is very easy to switch between "contentSecurityPolicy" and "Content-Security-Policy-Report-Only" using an environment variable also having to switch between a builtin header definition and a customResponseHeader is not so easy, with the result not being as easy to follow when the config is revisited by another person.

As an example, my definition within a docker-compose file currently looks like this

- "traefik.http.middlewares.security-headers.headers.${DOCKER_TRAEFIK_CSP_CMD}${DOCKER_TRAEFIK_CSP_LINE1};${DOCKER_TRAEFIK_CSP_LINEEND}"

With a growing number of 'LINEx' variables being added as the CSP becomes more of an essay than a line entry. To support both header types all I would need to do is change the value of DOCKER_TRAEFIK_CSP_CMD to switch between them. Instead, I have to be creative and include more of the traefik label within the environment variable, which makes things harder to read.

@SpecLad SpecLad linked a pull request May 10, 2024 that will close this issue
Open
2 tasks
@rtribotte rtribotte added kind/enhancement a new or improved feature. and removed kind/proposal a proposal that needs to be discussed. labels May 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/middleware kind/enhancement a new or improved feature.
Projects
No open projects
v2
issues
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Headers middleware: support Content-Security-Policy-Report-Only SpecLad/traefik
6 participants
@bachya @jbdoumenjou @rit001 @rtribotte @traefiker @tomlawesome