Merge pull request #10166 from playframework/mergify/bp/2.8.x/pr-10164

[doc] Add report-only section in CspFilter.md (bp #10164)
playframework · Apr 5, 2020 · 1cb3d83 · 1cb3d83
2 parents d671e96 + 44a8026
commit 1cb3d83
Showing 1 changed file with 17 additions and 10 deletions.
diff --git a/documentation/manual/working/commonGuide/filters/CspFilter.md b/documentation/manual/working/commonGuide/filters/CspFilter.md
@@ -70,9 +70,18 @@ If `play.filters.headers.contentSecurityPolicy` is not null, you will receive a
 
 > **Note:** You will want to review the Content Security Policy specified in the CSP filter closely to ensure it meets your needs, as it differs substantially from the previous `contentSecurityPolicy`.
 
-### Configuring CSP Report Only
+### Configuring CSP Reports
+
+When the CSP `report-to` or `report-uri` CSP directives in `conf/application.conf` are configured, a page that violates the directives will send a report to the given URL.
 
-CSP has a feature which will place CSP violations into a "report only" mode, which results in the browser allowing the page to render and sending a CSP report to a given URL.
+```hocon
+play.filters.csp {
+  directives {
+    report-to = "http://localhost:9000/report-to"
+    report-uri = ${play.filters.csp.directives.report-to}
+  }
+}
+```
 
 CSP reports are formatted as JSON.  For your convenience, Play provides a body parser that can parse a CSP report, useful when first adopting a CSP policy.  You can add a CSP report controller to send or store the CSP report at your convenience:
 
@@ -91,16 +100,14 @@ POST     /report-to                 controllers.CSPReportController.report
 
 Note that if you have the CSRF filter enabled, you may need `+ nocsrf` route modifier, or add `play.filters.csrf.contentType.whiteList += "application/csp-report"` to `application.conf` to whitelist CSP reports.
 
-The report feature is enabled by setting the `reportOnly` flag, and configuring the `report-to` and `report-uri` CSP directives in `conf/application.conf`:
+### Configuring CSP Report Only
+
+CSP also has a "report only" feature which results in the browser allowing the page to render, while still sending a CSP report to a given URL. 
+
+The report feature is enabled by setting the `reportOnly` flag in addition to configuring the `report-to` and `report-uri` CSP directives in `conf/application.conf`:
 
 ```hocon
-play.filters.csp {
-  reportOnly = true
-  directives {
-    report-to = "http://localhost:9000/report-to"
-    report-uri = ${play.filters.csp.directives.report-to}
-  }
-}
+play.filters.csp.reportOnly = true
 ```
 
 CSP reports come in four different styles: "Blink", "Firefox", "Webkit", and "Old Webkit".  Zack Tollman has a good blog post [What to Expect When Expecting Content Security Policy Reports](https://www.tollmanz.com/content-security-policy-report-samples/) that discusses each style in detail.