-
Notifications
You must be signed in to change notification settings - Fork 366
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
report-to #156
Comments
Thanks for letting me know about this. I'll take a look. If you see any resources about this (specs, helpful blog posts), I'd appreciate a link here, though that's something I can do on my own time too. |
here's the spec https://www.w3.org/TR/CSP/#directives-fetch if you scroll to the bottom here you can see the present state of usage https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP |
Moving this to csp#63. |
@EvanHahn I can see helmetjs/csp@b2d9fdf was merged into csp to solve this issue, but I can't see any equivalent code in the |
@mjaggard You can use app.use(
helmet({
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
reportTo: ["foo"],
},
},
})
); Or if you prefer to use the CSP middleware by itself: app.use(
helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
reportTo: ["foo"],
},
})
); Hope this answers your question. |
I got this when validating my HTML. Time to add the
report-to
directive?Warning: Content-Security-Policy HTTP header: Bad content security policy: A draft of the next version of CSP deprecates report-uri in favour of a new report-to directive.
The text was updated successfully, but these errors were encountered: