CSP add report-uri #33

vasco-santos · 2022-12-15T14:33:25Z

We should have an API where we can receive reports from URIs being blocked by CSP, so that we can have a picture of how this affects users, as well as how we can make it better.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#reporting_directives

report-uri Instructs the user agent to report attempts to violate the Content Security Policy. These violation reports consist of JSON documents sent via an HTTP POST request to the specified URI

cc @jchris

jchris · 2022-12-15T14:40:13Z

@heyjay44 this is related to a bug report / fix for hosting HTML apps on our gateway.

timely (capturing a snapshot of our usage as people were doing before a recent policy change, so if we wait too long those errors will taper off)
lightweight (I think only a few lines of code plus test and release cycle)
independent (could be shipped with or without other changes going on)

I'm not saying we should change the schedule for it but if it sneaks in, that's why :)

PS here is a screenshot of how our policy change can impact apps that were running previously:

vasco-santos added kind/enhancement A net-new feature or improvement to an existing feature need/triage Needs initial labeling and prioritization labels Dec 15, 2022

vasco-santos self-assigned this Dec 15, 2022

This was referenced Jan 3, 2023

feat: add csp report endpoint nftstorage/nftstorage.link#209

Merged

feat: add csp report endpoint #39

Merged

vasco-santos closed this as completed in nftstorage/nftstorage.link#209 Jan 3, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CSP add report-uri #33

CSP add report-uri #33

vasco-santos commented Dec 15, 2022

jchris commented Dec 15, 2022 •

edited

CSP add report-uri #33

CSP add report-uri #33

Comments

vasco-santos commented Dec 15, 2022

jchris commented Dec 15, 2022 • edited

jchris commented Dec 15, 2022 •

edited