This is a follow up on https://blog.sentry.io/2018/09/04/how-sentry-captures-csp-violations
Based on the information from MDN https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri
report-uri directive is deprecated and they discourage its use. Instead they propose to look at the
report-to directive that allows to specify the reporting endpoint with extra parameters.
That said, I am interested in some updated info on how to properly configure the CSP so that violations are reported to Sentry. Please share some examples, I’d appreciate that!
Also, I was looking on using the CSP violation reports in my Chrome extension. And latest test with
report-uri resulted in nothing (using Chrome 73). I wonder if that’s because
report-uri is no longer supported? I would like to experiment with
report-to, but it’s unclear yet how to define
report-to groups in Manifest file, where the CSP rule is supposed to be a single string:
"content_security_policy": "script-src 'self'; report-to ... ",