This is a follow up on https://blog.sentry.io/2018/09/04/how-sentry-captures-csp-violations
Based on the information from MDN https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri report-uri
directive is deprecated and they discourage its use. Instead they propose to look at the report-to
directive that allows to specify the reporting endpoint with extra parameters.
That said, I am interested in some updated info on how to properly configure the CSP so that violations are reported to Sentry. Please share some examples, I’d appreciate that!
Also, I was looking on using the CSP violation reports in my Chrome extension. And latest test with report-uri
resulted in nothing (using Chrome 73). I wonder if that’s because report-uri
is no longer supported? I would like to experiment with report-to
, but it’s unclear yet how to define report-to
groups in Manifest file, where the CSP rule is supposed to be a single string:
"content_security_policy": "script-src 'self'; report-to ... ",
Any tips?