Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Proposal: replacement for deprecated report-uri for content_security_policy #97

Open
carlosjeurissen opened this issue Oct 3, 2021 · 2 comments
Labels
proposal Proposal for a change or new feature supportive: safari Supportive from Safari topic: csp Related to content security policy enforcement

Comments

@carlosjeurissen
Copy link
Contributor

Issue

Currently CSP reports can be received using the report-uri directive of the CSP. report-uri however is currently deprecated. See CSP: report-uri on MDN.

Solution

Thus if we want to keep this functionality for webExtensions, we need to provide an alternative. For CSP on websites, the alternative is the report-to directive. For extensions we should be able to define report-to groups. This could either be defined using two potential syntaxes.

Syntax 1

a new manifest key report_to like this:

{
  "report_to": [{
    "group": "endpoint-1",
    "max_age": 10886400,
    "endpoints": [
      { "url": "https://example.com/reports" },
      { "url": "https://backup.com/reports" }
    ]
  }]
}

Syntax 2

Or we add it to the content_security_policy property like this:

{
  "content_security_policy": {
    "extension_pages": "default-src 'none'; report-to endpoint-1",
    "report_to":  [{
      "group": "endpoint-1",
      "max_age": 10886400,
      "endpoints": [
        { "url": "https://example.com/reports" },
        { "url": "https://backup.com/reports" }
      ]
    }]
  }
}

Additional info

Syntax 1 has the added benefit of potentially allowing other reports to be collected in the future in case we want to add support for them like adding support for Document-Policy reports.

@carlosjeurissen carlosjeurissen changed the title Replacement for deprecated report-uri for content_security_policy Proposal: replacement for deprecated report-uri for content_security_policy Oct 3, 2021
@xeenon
Copy link
Collaborator

xeenon commented Feb 17, 2022

This proposal sounds good to me for Safari. If we went with proposal 1, I'd like to propose policy_reports or policy_report_to as the key to be more specific about what it is. For proposal 2, it is fine to keep the report_to key name since it is scoped to content_security_policy.

@carlosjeurissen
Copy link
Contributor Author

@xeenon Would also work. The reason I proposed report_to is the fact it matches the HTTP header just like content_security_policy does. See:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
proposal Proposal for a change or new feature supportive: safari Supportive from Safari topic: csp Related to content security policy enforcement
Projects
None yet
Development

No branches or pull requests

3 participants