- Issue created by @jimmb
- π¨π¦Canada gapple
After installing the Reporting API module, you will need to update your site's policies to use the new "Reporting Endpoint" plugin options. After you do so, the status page warning will be removed.
If you upgrade CSP without changing the reporting destination to something other than CSP's sitelog handler, reporting will be disabled for that policy.And a note on the endpoints that CSP adds to the Reporting API configuration: older browsers didn't differentiate between violations against the report-only or enforced policies on a page, so required separate URLs for sending the corresponding reports. That needs to be reviewed if it's still necessary for current browsers ( π Review Reporting API endpoint configs Active ).
- πΊπΈUnited States jimmb
Thanks very much for the helpful reply and screenshot! So far, my CSP setup is completely using the default settings, and this is what I did:
1. Installed https://www.drupal.org/project/reporting β (with Composer) and enabled the module
2. Went to /admin/config/system/reporting and viewed the 3 Reporting Endpoints that exist by default with this module, and made no changes
3. Went to /admin/config/system/csp and did the following:
- Under Policies > Report Only (which is enabled), I left everything as is but at the bottom in the 'Reporting' section I changed the 'Handler' to "Reporting Endpoint" and then for 'Endpoint' selected: Content Security Policy - Report Only (as per your screenshot)
- Under Policies > Enforced (which is enabled), I left everything as is but at the bottom in the 'Reporting' section I changed the 'Handler' to "Reporting Endpoint" and then for 'Endpoint' selected: Content Security Policy - Enforced
And now back on the Status Report page, I'm seeing that warning is gone. So hopefully I've done everything that was mentioned (or implied) in your comment, and I'll assume everything is correct now.
I must confess I'm not totally understanding your last paragraph, but in general I'm thinking this new Drupal 10 site -- which has otherwise been built assuming users are on current browsers -- will have users using ~ the latest versions of Chrome, Firefox, Safari and Edge. And so hopefully this should be fine - unless a warning pops up in the future that tells me otherwise.
- Status changed to Fixed
6 months ago 6:54am 29 June 2024 - π¨π¦Canada gapple
That all sounds correct.
It's nothing to worry about - it's just whether or not all CSP reports could be sent to the 'default' endpoint and you could tell which policy they corresponded to. In the future, you may not see separate Reporting Endpoints for CSP if you're installing the modules on a new site.
The module won't show any warnings or modify config for existing sites if this change happens. Automatically closed - issue fixed for 2 weeks with no activity.