Closed Firesphere closed 1 year ago
Hi @paragonie-security , I left a comment on the pull request earlier. I still get the behaviour after the merged fix: https://github.com/paragonie/csp-builder/issues/62#issuecomment-1407605419, even with the addition of the URL parameter. A downgrade to 2.7.0 resolved my particular issue
Resolved in latest release :)
The report-uri is encoded when the header is compiled, and then escaped, causing
https://example.com
to be encoded ashttps%3A//example.com
The browser then interprets this as "https://www.mydomain.com/https%3A//example.com", which... maybe obviously, doesn't work very well.