Reporting CSP violations (+ from chrome extension)

This is a follow up on https://blog.sentry.io/2018/09/04/how-sentry-captures-csp-violations

Based on the information from MDN https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri report-uri directive is deprecated and they discourage its use. Instead they propose to look at the report-to directive that allows to specify the reporting endpoint with extra parameters.

That said, I am interested in some updated info on how to properly configure the CSP so that violations are reported to Sentry. Please share some examples, I’d appreciate that!

Also, I was looking on using the CSP violation reports in my Chrome extension. And latest test with report-uri resulted in nothing (using Chrome 73). I wonder if that’s because report-uri is no longer supported? I would like to experiment with report-to, but it’s unclear yet how to define report-to groups in Manifest file, where the CSP rule is supposed to be a single string:

 "content_security_policy": "script-src 'self'; report-to ... ",

Any tips?

2 Likes