clelland
commented
4 months ago The body of the CSP report is really under the control of the CSP spec -- I see that you've filed https://github.com/w3c/webappsec-csp/issues/672 there, which @mikewest has responded to already.
When requests on the website are redirected, the domain to which the request is redirected is blocked because it is not included in the connect-src whitelist. However, the CSP report shows the blockedURL as the original domain before the redirect. This makes it difficult to troubleshoot the issue. It would be helpful if the CSP report could include the actual domain that was blocked after the redirect, or better yet, include both the original and the redirected domains.