: CSP3 Report-To header implementation Issue Many CSP validators like cspvalidator.org tell me that: A draft of the next version of CSP deprecates report-uri in favour of a new report-to

@Barnes591

There are examples in the draft of the Report-To directive:

Report-To: { "url": "https://example.com/reports",
"group": "endpoint-1",
"max-age": 10886400 };


Your rule is correctly created, as in it returns a valid JSON object, but since the Reporting API is still a draft, most UA haven't got around implementing it. You could simply have both, report-uri and Report-To header meanwhile if you want to, as one would be ignored either way:


Note: The report-uri directive is deprecated. Please use the report-to directive instead. If the latter directive is present, this directive will be ignored. To ensure backwards compatibility, we suggest specifying both, like this:

Content-Security-Policy: ...; report-uri endpoint.com; report-to groupname

Vote Up Vote Down

@Eichhorn148

It appears that report-to header has been replaced by a report-uri field in the CSP. Here is a document from the Mozilla Foundation that explains how to use the reporting functionality of content security policies: developer.mozilla.org/en-US/docs/Web/Security/CSP/Using_CSP_violation_reports
It suggests putting the report URL directly into the CSP header like:

Content-Security-Policy: default-src 'self'; report-uri reportcollector.example.com/collector.cgi
It also has detailed information about the format and syntax of the reports so that you can implement them yourself.

Vote Up Vote Down