The report-to directive works with reporting endpoints (from Reporting). The endpoints need to be configured through another header (Reporting-Endpoints, previously Report-To). This PR only adds the CSP directive; this enables users to migrate to the new reporting API if they provide the endpoints (via a Reporting-Endpoints header) themselves.
I did not deprecate the report-uri directive because browsers ignore it when a report-to directive is present and the browser supports it. Not all (major) browsers support this directive currently, so report-uri is still usefull for reporting in all browsers.
Seldaek
commented
1 month ago
This PR extends
DirectiveSetwith thereport-todirective. It is part of CSP Level 3 and intended to replace the deprecatedreport-uridirective.The
report-todirective works with reporting endpoints (from Reporting). The endpoints need to be configured through another header (Reporting-Endpoints, previouslyReport-To). This PR only adds the CSP directive; this enables users to migrate to the new reporting API if they provide the endpoints (via aReporting-Endpointsheader) themselves.I did not deprecate the
report-uridirective because browsers ignore it when areport-todirective is present and the browser supports it. Not all (major) browsers support this directive currently, soreport-uriis still usefull for reporting in all browsers.Fixes #341