CODEWITHSUNDEEP
content-security-policy
Mike
Mike

Reputation: 14616

Configuration of the Content-Security-Policy (CSP) reporting with `report-to` in the HTML `meta`-tag

I've defined a content security policy (CSP) for my SPA-application via the meta-tag:

<meta content = "default-src https: 'self' https://%SOME_DOMAIN%.com 'unsafe-eval' 'unsafe-inline'; child-src 'none'; object-src 'none';"
      http-equiv = "Content-Security-Policy" />

Everything is working, and in case of a violation I see a warning in the console.
Now, I want to send an automatic report to the back-end with the report-to directive.

Do I understand it correctly that due to security reasons I can configure the report-to only on the backend and send it to the client-side only as a HTTP-header, and I can't just declare it in the meta-tag, just like I've done with the content-security-policy rules?

Upvotes: 1

Views: 1177

Answers (1)

granty
granty

Reputation: 8546

Yes, you understand it correctly. Reporting API works only via HTTP header.
Moreover report-to/report-uri CSP directives are not supported in meta-tag.

If you wish to get violation reports, CSP should be delivered from the server as HTTP header. In case of use report-uri directive you do not need anything special, but in case of use report-to directive, you additionally need to publish a special Report-to HTTP header from the server.

PS: Only Chrome supports Reporting API/report-to directive as for now.

Upvotes: 4

Related Questions