search

paragonie / csp-builder

Build Content-Security-Policy headers from a JSON file (or build them programmatically)
https://paragonie.com/projects
MIT License
544 stars 39 forks source link

report-uri is encoded in to unuseable string #62

Closed Firesphere closed 1 year ago

Firesphere commented 1 year ago

The report-uri is encoded when the header is compiled, and then escaped, causing https://example.com to be encoded as https%3A//example.com

The browser then interprets this as "https://www.mydomain.com/https%3A//example.com", which... maybe obviously, doesn't work very well.

paragonie-security commented 1 year ago

61 fixes this. We haven't tagged a release yet.

elliot-sawyer commented 1 year ago

Hi @paragonie-security , I left a comment on the pull request earlier. I still get the behaviour after the merged fix: https://github.com/paragonie/csp-builder/issues/62#issuecomment-1407605419, even with the addition of the URL parameter. A downgrade to 2.7.0 resolved my particular issue

Firesphere commented 1 year ago

Resolved in latest release :)