search

paragonie / csp-builder

Build Content-Security-Policy headers from a JSON file (or build them programmatically)
https://paragonie.com/projects
MIT License
544 stars 39 forks source link

Integrate or document report-to #63

Open davidsneighbour opened 1 year ago

davidsneighbour commented 1 year ago

It appears that in CSPv3 report-uri is deprecated and replaced with report-to. Report-to looks like a more complicated way to specify types and endpoints. I can see in the code mentioned, that report-to is adding report-uri annotation (for compatibility), but seem to not find a way to define the reporting string. Please either implement or document this feature.

Example:

Report-To: { "group": "csp-endpoint",
              "max_age": 10886400,
              "endpoints": [
                { "url": "https://example.com/csp-reports" }
              ] },
            { "group": "hpkp-endpoint",
              "max_age": 10886400,
              "endpoints": [
                { "url": "https://example.com/hpkp-reports" }
              ] }
Content-Security-Policy: …; report-to csp-endpoint