Open globau opened 4 days ago
It looks like this is your first issue. Welcome! 👋 One of the project maintainers will be with you as soon as possible. We appreciate your patience. To safeguard the health of the project, please take a moment to read our code of conduct.
Hi @globau! Thanks for the feedback — this is a good point, and we are already taking steps to address it. Note also that the associated MDN observatory CSP docs already include guidance on using Content-Security-Policy-Report-Only
and report-to
/report-uri
.
Given that we don't want to delay the launch further, we intend to address this with a two-step process:
For now, we will implement a new test result that is reported if Content-Security-Policy-Report-Only
is detected. Something along these lines (we will also provide similar guidance on the "CSP analysis" tab):
Content-Security-Policy-Report-Only
header.Post-launch, we are considering implementing a more structured approach, which provides better detailing on the "CSP analysis" tab. We'd love your help on this — can you give us your thoughts on where the main value lies in having Observatory report on Content-Security-Policy-Report-Only
header implementations, and what your ideal experience would look like?
The main value I see is being able to view the Observatory's guidance while iterating on CSP policy.
My ideal experience would be a fully populated CSP tab, as though the policy was enforced, with a message reiterating that it's report-only.
Cool, thanks.
- For now, we will implement
This was implemented pre-launch by @argl in https://github.com/mdn/mdn-http-observatory/commit/0ee42c6d70dd9f12cacf4a668bb3337ef41550f7.
What information was incorrect, unhelpful, or incomplete?
Scan a site that uses report-only CSP (eg. https://developer.allizom.org/en-US/observatory/analyze?host=google.com#csp)
What did you expect to see?
-25 on the score is expected, but the "CSP analysis" tab should be populated to provide guidance to folk before they switch to an enforced policy.
Do you have any supporting links, references, or citations?
No response
Do you have anything more you want to share?
No response