report-to

[selfagency]

I got this when validating my HTML. Time to add the report-to directive?

Warning: Content-Security-Policy HTTP header: Bad content security policy: A draft of the next version of CSP deprecates report-uri in favour of a new report-to directive.

[EvanHahn]

Thanks for letting me know about this. I'll take a look.

If you see any resources about this (specs, helpful blog posts), I'd appreciate a link here, though that's something I can do on my own time too.

[selfagency]

here's the spec https://www.w3.org/TR/CSP/#directives-fetch

if you scroll to the bottom here you can see the present state of usage https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

[EvanHahn]

Moving this to csp#63.

[mjaggard]

@EvanHahn I can see helmetjs/csp@b2d9fdf was merged into csp to solve this issue, but I can't see any equivalent code in the helmet code base. Did this get missed or was it not included on purpose?

[EvanHahn]

@mjaggard helmet@4 and helmet-csp@3 added support for all directives by accepting any keys you provide.

You can use report-to with Helmet like this:

app.use(
  helmet({
    contentSecurityPolicy: {
      directives: {
        defaultSrc: ["'self'"],
        reportTo: ["foo"],
      },
    },
  })
);

Or if you prefer to use the CSP middleware by itself:

app.use(
  helmet.contentSecurityPolicy({
    directives: {
      defaultSrc: ["'self'"],
      reportTo: ["foo"],
    },
  })
);

Hope this answers your question.