Permissions-Policy-Report-Only and Reporting API updates#43853
Permissions-Policy-Report-Only and Reporting API updates#43853chrisdavidmills merged 10 commits intomdn:mainfrom
Conversation
github-actions
bot
added
Content:WebAPI
Preview URLs (6 pages)Flaws (1) Note! 5 documents with no flaws that don't need to be listed. 🎉 Found an unexpected or unresolvable flaw? Please report it here. URL:
(comment last updated: 2026-04-21 06:57:08) |
chrisdavidmills
left a comment
chrisdavidmills
left a comment
There was a problem hiding this comment.
@hamishwillee great work. I've got a few comments for you to look over, but nothing major. I definitely agree that this structure between a header and its report-only version is better.
Co-authored-by: Chris Mills <chrisdavidmills@gmail.com>
hamishwillee
force-pushed
the
reporting_api_permissions_policy_addns
branch
from
e21e395 to
bac066c
Compare
| | Type | Report object | Notes | | ||
| | ------------------------------ | ----------------------------------------------- | ------------------------------------------------------------------------------------------ | | ||
| | `coep` | {{domxref("COEPViolationReport")}} | {{httpheader("Cross-Origin-Embedder-Policy")}} (COEP) violations | | ||
| | `coop` | `COOPViolationReport` | {{httpheader("Cross-Origin-Opener-Policy")}} (COOP) violations | | ||
| | `crash` | {{domxref("CrashReport")}} | Browser crash reports | | ||
| | `csp-violation` | {{domxref("CSPViolationReport")}} | [Content Security Policy (CSP)](/en-US/docs/Web/HTTP/Guides/CSP) violations | | ||
| | `deprecation` | {{domxref("DeprecationReport")}} | Deprecated features used by the site. | | ||
| | `integrity-violation` | {{domxref("IntegrityViolationReport")}} | {{httpheader("Integrity-Policy")}} violations | | ||
| | `intervention` | {{domxref("InterventionReport")}} | Features blocked by the user agent, such as ads that significantly impact page performance | | ||
| | `permissions-policy-violation` | {{domxref("PermissionsPolicyViolationReport")}} | {{httpheader("Permissions-Policy")}} violations | |
There was a problem hiding this comment.
@chrisdavidmills Thanks for the review. I accepted all your suggestions bar one, which has a comment.
The only other change is I re-wrote this section on report types to have a clear list.
Note that this is the documented types. There are some I haven't tested yet, such as document policy and NetworkErrorReport. Those might require further updates - i.e. I have a feeling that NetworkErrorReport can't be sent to server endpoints so the text might need minor amendment.
I think this is good to go. Updating -Report-Only headers for other HTTP headers will be a separate task done right at the end.
There was a problem hiding this comment.
Yup, looks good to me.
chrisdavidmills
left a comment
chrisdavidmills
left a comment
There was a problem hiding this comment.
LGTM. Nice wce work, @hamishwillee.
|
Thanks very much @chrisdavidmills . I feel like we're slowly getting there. I'm back on release tasks today, but once I have that in hand I'll look at Network errors, COOP reports, and Document-Policy. |
3 participants
This PR does a number of things:
Permissions-Policy-Report-OnlyHTTP header, to complement thePermissions-Policyheader. The headers are the same really, the only difference being that the report version does not enforce the policy and has a differentdispositionin reports.@chrisdavidmills I haven't checked this yet. Will take review, but might do a little tidy tomorrow.