Closed iangcarroll closed 4 years ago
Gotcha. Unfortunately this means we need to downgrade to v2.1.0 in order to use this library, since we need reporting to work. Is there a quick way to get a newer version to stop sending report-to
?
I'd be happy to try and send a quick PR to fork out report-to
as a different setting from report-uri
, but I'll need to get approval from my employer first.
Chrome 76 seems to not handle how csp-builder does
report-to
; when a report URI is set, Chrome does not send any CSP reports with v2.3.1. Only when the report-to directive is removed does Chrome send reports correctly (presumably to report-uri).It seems like you can't just pass a normal URL as a
report-to
value. Did the CSP spec change between implementation and now?