search

mdn / mdn-http-observatory

Mozilla Public License 2.0
3 stars 0 forks source link

Sites sending `Content-Security-Policy-Report-Only` are reported as "No CSP headers detected" #5

Open globau opened 4 days ago

globau commented 4 days ago

What information was incorrect, unhelpful, or incomplete?

Scan a site that uses report-only CSP (eg. https://developer.allizom.org/en-US/observatory/analyze?host=google.com#csp)

What did you expect to see?

-25 on the score is expected, but the "CSP analysis" tab should be populated to provide guidance to folk before they switch to an enforced policy.

Do you have any supporting links, references, or citations?

No response

Do you have anything more you want to share?

No response

github-actions[bot] commented 4 days ago

It looks like this is your first issue. Welcome! 👋 One of the project maintainers will be with you as soon as possible. We appreciate your patience. To safeguard the health of the project, please take a moment to read our code of conduct.

chrisdavidmills commented 4 days ago

Hi @globau! Thanks for the feedback — this is a good point, and we are already taking steps to address it. Note also that the associated MDN observatory CSP docs already include guidance on using Content-Security-Policy-Report-Only and report-to/report-uri.

Given that we don't want to delay the launch further, we intend to address this with a two-step process:

  1. For now, we will implement a new test result that is reported if Content-Security-Policy-Report-Only is detected. Something along these lines (we will also provide similar guidance on the "CSP analysis" tab):

    • Test result: csp-implemented-report-only
    • Description: Content Security Policy (CSP) reporting implemented only, with Content-Security-Policy-Report-Only header.
    • Modifier: -25
    • Recommendation: Implement an enforced policy; see MDN's Content Security Policy (CSP) documentation.

  2. Post-launch, we are considering implementing a more structured approach, which provides better detailing on the "CSP analysis" tab. We'd love your help on this — can you give us your thoughts on where the main value lies in having Observatory report on Content-Security-Policy-Report-Only header implementations, and what your ideal experience would look like?

globau commented 4 days ago

The main value I see is being able to view the Observatory's guidance while iterating on CSP policy.

My ideal experience would be a fully populated CSP tab, as though the policy was enforced, with a message reiterating that it's report-only.

chrisdavidmills commented 4 days ago

Cool, thanks.

caugner commented 3 days ago
  1. For now, we will implement

This was implemented pre-launch by @argl in https://github.com/mdn/mdn-http-observatory/commit/0ee42c6d70dd9f12cacf4a668bb3337ef41550f7.