[go: nahoru, domu]
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proposal: replacement for deprecated report-uri for content_security_policy #97

Open
carlosjeurissen opened this issue Oct 3, 2021 · 2 comments
Open

Proposal: replacement for deprecated report-uri for content_security_policy #97

carlosjeurissen opened this issue Oct 3, 2021 · 2 comments
Labels
proposal Proposal for a change or new feature supportive: safari Supportive from Safari topic: csp Related to content security policy enforcement

Comments

@carlosjeurissen
Copy link
Contributor

Issue

Currently CSP reports can be received using the report-uri directive of the CSP. report-uri however is currently deprecated. See CSP: report-uri on MDN.

Solution

Thus if we want to keep this functionality for webExtensions, we need to provide an alternative. For CSP on websites, the alternative is the report-to directive. For extensions we should be able to define report-to groups. This could either be defined using two potential syntaxes.

Syntax 1

a new manifest key report_to like this:

{
  "report_to": [{
    "group": "endpoint-1",
    "max_age": 10886400,
    "endpoints": [
      { "url": "https://example.com/reports" },
      { "url": "https://backup.com/reports" }
    ]
  }]
}

Syntax 2

Or we add it to the content_security_policy property like this:

{
  "content_security_policy": {
    "extension_pages": "default-src 'none'; report-to endpoint-1",
    "report_to":  [{
      "group": "endpoint-1",
      "max_age": 10886400,
      "endpoints": [
        { "url": "https://example.com/reports" },
        { "url": "https://backup.com/reports" }
      ]
    }]
  }
}

Additional info

Syntax 1 has the added benefit of potentially allowing other reports to be collected in the future in case we want to add support for them like adding support for Document-Policy reports.
@carlosjeurissen carlosjeurissen mentioned this issue Oct 3, 2021
Open
@carlosjeurissen carlosjeurissen changed the title Replacement for deprecated report-uri for content_security_policy Proposal: replacement for deprecated report-uri for content_security_policy Oct 3, 2021
@xeenon
Copy link
Collaborator
xeenon commented Feb 17, 2022

This proposal sounds good to me for Safari. If we went with proposal 1, I'd like to propose policy_reports or policy_report_to as the key to be more specific about what it is. For proposal 2, it is fine to keep the report_to key name since it is scoped to content_security_policy.

@carlosjeurissen
Copy link
Contributor Author

@xeenon Would also work. The reason I proposed report_to is the fact it matches the HTTP header just like content_security_policy does. See:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to

@Rob--W Rob--W mentioned this issue Feb 17, 2022
Merged
@carlosjeurissen carlosjeurissen mentioned this issue Apr 14, 2022
Open
@Rob--W Rob--W mentioned this issue Apr 14, 2022
Merged
@carlosjeurissen carlosjeurissen added the topic: csp Related to content security policy enforcement label Apr 29, 2022
@carlosjeurissen carlosjeurissen mentioned this issue May 12, 2022
Open
@Rob--W Rob--W mentioned this issue May 12, 2022
Merged
@xeenon xeenon added proposal Proposal for a change or new feature supportive: safari Supportive from Safari labels Aug 31, 2022
@carlosjeurissen carlosjeurissen added the agenda Discuss in future meetings label Oct 17, 2022
@carlosjeurissen carlosjeurissen mentioned this issue Oct 17, 2022
Closed
@carlosjeurissen carlosjeurissen mentioned this issue Oct 31, 2022
Closed
@Rob--W Rob--W mentioned this issue Nov 24, 2022
Merged
@dotproto dotproto removed the agenda Discuss in future meetings label Mar 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
proposal Proposal for a change or new feature supportive: safari Supportive from Safari topic: csp Related to content security policy enforcement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@xeenon @carlosjeurissen @dotproto