Break out the report-to directive from report-uri.

paragonie / csp-builder

Build Content-Security-Policy headers from a JSON file (or build them programmatically)

https://paragonie.com/projects

MIT License

544 stars 39 forks source link

Break out the report-to directive from report-uri. #42

Closed iangcarroll closed 4 years ago

iangcarroll commented 5 years ago

In Chrome 76, this library's behavior with report-to does not work. Specifically, you cannot pass a URL as a report-to directive or Chrome will never send CSP reports, even if there is also a report-uri fallback.

I imagine this is because of the reporting API changes.

This is the easiest way I see to make this library start working again, but I am open to discussing it.

iangcarroll commented 4 years ago

Tests should be passing now; let me know what you think.