Review Reporting API endpoint configs

Created on 27 June 2024, 6 months ago

Updated 31 July 2024, 5 months ago

Problem/Motivation

CSP creates two Reporting API endpoints for enforced and report-only violations when both modules are installed.
This was done to support older browsers that didn't include a 'disposition' attribute on reports, so it wasn't possible to determine which policy a report violated if they sent violations to the same url.

AFAIK:
- Chrome supports the report-to directive, which requires 'disposition' on each of the violations in the set it sends.
- Firefox still uses the report-uri directive, but does include 'disposition'.

Proposed resolution

- Review attributes included in violations by currently supported browsers
- Remove optional configuration when all browsers include 'disposition' in violation reports.

Remaining tasks

User interface changes

API changes

New installations will not have the additional report endpoints, but existing installations will not be changed.

Data model changes

📌 Task

Status

Fixed

Version

2.0

Component

Code

Created by

🇨🇦Canada gapple

Live updates comments and jobs are added and updated live.

Comments & Activities

Issue created by @gapple
Comment 5 months ago →
🇨🇦Canada gapple
Firefox ESR 115 is the oldest supported browser and it does send a "disposition" property on reports, so the additional reporting endpoints can be removed.
Comment 5 months ago →
System Message

gapple → committed a1b04b08 on 2.x
Issue #3457519: Remove reporting endpoint config
Status changed to Fixed 5 months ago11:18pm 12 July 2024
Comment 5 months ago →
🇨🇦Canada gapple
Comment 5 months ago →
System Message

gapple → committed 95797e17 on 8.x-1.x
Issue #3457519: Remove reporting endpoint config
Comment 5 months ago →
System Message
Automatically closed - issue fixed for 2 weeks with no activity.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024