Closed Seirdy closed 7 months ago
This is a really good privacy call out.
To start: I'm adding a check for report-sample
in the CSP, I agree that there are very few production use cases for this.
MDN docs for that directive are on the CSP page: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
Thanks again for these suggestions!
I'm going to leave this one open while I think about how I want to implement it. I agree that the "INFO" type notice for these might make sense, but I'm actually tempted to remove the checks all together instead (because generally, the tool should give definitive answers).
I generally recommend that people make heavy use of reporting endpoints in staging and internal pages, or possibly for pages with a debug query parameter, but not for public-facing pages. CSP, NEL, etc. reports carry significant entropy, especially with
script-sample
; this could be a major privacy issue. Simply eyeballing a CSP audit log could easily let me pick out users with Tridactyl or Canvas Fingerprinting Defender addons installed, for instance.I suggest downgrading the checks for the reporting endpoints to an "INFO" severity level, or removing them. I'd more gently suggest warning on use of
script-sample
due to privacy concerns.