FF130 MDN docs work for this can be tracked in https://github.com/mdn/content/issues/35279 My understanding is that: 1. this is a CSP directive [`report-to`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to) that can be used with either the [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) HTTP header or [`Content-Security-Policy-Report-Only`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only) - That's correct? FF supports directive in both headers? (behind the pref?) 2. The spec indicates that the directive has a value that is a token - so `report-to <token>`. Looking at various docs this token can be: - A "group name", where the one or more groups can be defined in a `Report-To` HTTP header, and each group can be a number end points. - An endpoint name, where individual end points can be defined in [`Reporting-Endpoints`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Reporting-Endpoints) headers (so you would use this to send to just one endpoint, say, rather than a group.). - An absolute or relative URL. Questions: - Is that list above for `<token>` options right? - Does FF support groups, endpoints, relative URL, absolute URL? - Can declare 4 (say) endpoints for different csp "cases" and use them in 4 different CSP header definitions? (I guess I'm saying can I declare different end points for different restrictions). 3. I can see from the IDL this adds support for [`CSPViolationReportBody`](https://developer.mozilla.org/en-US/docs/Web/API/CSPViolationReportBody). The other interfaces in [Reporting API](https://developer.mozilla.org/en-US/docs/Web/API/Reporting_API), such as `DeprecationReportBody`, `InterventionReportBody`, `Report`, `ReportBody`, `ReportError`, `ReportingObserver` are marked as not supported in FF in the compatibility data. Is that inaccurate, and if it is, when was support added?
Bug 1391243 Comment 11 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
FF130 MDN docs work for this can be tracked in https://github.com/mdn/content/issues/35279 My understanding is that: 1. this is a CSP directive [`report-to`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to) that can be used with either the [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) HTTP header or [`Content-Security-Policy-Report-Only`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only) - That's correct? FF supports directive in both headers? (behind the pref?) 2. The spec indicates that the directive has a value that is a token - so `report-to <token>`. Looking at various docs this token can be: - A "group name", where the one or more groups can be defined in a `Report-To` HTTP header, and each group can be a number end points. - An endpoint name, where individual end points can be defined in [`Reporting-Endpoints`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Reporting-Endpoints) headers (so you would use this to send to just one endpoint, say, rather than a group.). - An absolute or relative URL. Questions: - Is that list above for `<token>` options right? - Does FF support groups, endpoints, relative URL, absolute URL? - Can I declare 4 (say) endpoints for different csp "cases" and use them in 4 different CSP header definitions? (I guess I'm saying can I declare different end points for different restrictions). 3. I can see from the IDL this adds support for [`CSPViolationReportBody`](https://developer.mozilla.org/en-US/docs/Web/API/CSPViolationReportBody). The other interfaces in [Reporting API](https://developer.mozilla.org/en-US/docs/Web/API/Reporting_API), such as `DeprecationReportBody`, `InterventionReportBody`, `Report`, `ReportBody`, `ReportError`, `ReportingObserver` are marked as not supported in FF in the compatibility data. Is that inaccurate, and if it is, when was support added?
FF130 MDN docs work for this can be tracked in https://github.com/mdn/content/issues/35279 My understanding is that: 1. this is a CSP directive [`report-to`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to) that can be used with either the [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) HTTP header or [`Content-Security-Policy-Report-Only`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only) - That's correct? FF supports directive in both headers? (behind the pref?) 2. The spec indicates that the directive has a value that is a token - so `report-to <token>`. Looking at various docs this token can be: - A "group name", where the one or more groups can be defined in a `Report-To` HTTP header, and each group can be a number end points. - An endpoint name, where individual end points can be defined in [`Reporting-Endpoints`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Reporting-Endpoints) headers (so you would use this to send to just one endpoint, say, rather than a group.). - An absolute or relative URL. Questions: - Is that list above for `<token>` options right? - Does FF support groups, endpoints, relative URL, absolute URL? - Is that supported for `Report-To` and `Reporting-Endpoints` added in this bug/release too? - Can I declare 4 (say) endpoints for different csp "cases" and use them in 4 different CSP header definitions? (I guess I'm saying can I declare different end points for different restrictions). 3. I can see from the IDL this adds support for [`CSPViolationReportBody`](https://developer.mozilla.org/en-US/docs/Web/API/CSPViolationReportBody). The other interfaces in [Reporting API](https://developer.mozilla.org/en-US/docs/Web/API/Reporting_API), such as `DeprecationReportBody`, `InterventionReportBody`, `Report`, `ReportBody`, `ReportError`, `ReportingObserver` are marked as not supported in FF in the compatibility data. Is that inaccurate, and if it is, when was support added?
FF130 MDN docs work for this can be tracked in https://github.com/mdn/content/issues/35279 It is a bit confusing about what is delivered by this (and related issues such as https://bugzilla.mozilla.org/show_bug.cgi?id=1860588 and https://bugzilla.mozilla.org/show_bug.cgi?id=1620573) particularly because there is significant cross-over between the CSP and Reporting API specs. Can you outline what Firefox supports now in this area. Here is what I "think" is true. 1. This change and the reporting API is all behind `dom.reporting.enabled` 2. We no longer use the `dom.reporting.header.enabled` pref to gate headers for this and related features. 3. The reporting API was (prior to this issue) all implemented to legacy v0 behind `dom.reporting.enabled`. - It supported [report-uri](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri) directive for setting the endpoint URI for reports. 4. Following this issue (and https://bugzilla.mozilla.org/show_bug.cgi?id=1860588) we support: - `Report-To` header - `Reporting-Endpoints` header - CSP [report-uri](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri) directive - CSP [`report-to`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to) directive (behind pref) - [`CSPViolationReportBody`](https://developer.mozilla.org/en-US/docs/Web/API/CSPViolationReportBody) behind pref 5. We also support these reporting APIs behind same pref, but for much longer: `DeprecationReportBody`, `InterventionReportBody`, `Report`, `ReportBody`, `ReportError`, `ReportingObserver` Is that all correct? ^^^ A few technical queries around the spec: 6. CSP directive [`report-to`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to) - Can it also be used with [`Content-Security-Policy-Report-Only`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only)? - The reporting API indicates this directive is also usable with other headers such as `Document-Policy`. - What other headers, if any can it be used with by FF? - Is there a list of things it "might" be used with? (i.e. allowed by specifications_?? (such as [Cross-Origin-Embedder-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy) ) - What other reports do we support, such as deprecation reports (which would have the endpoint type "default"). 7. The Reporting spec says that the `report-to` directive value is an `endpoint`, while the CSP spec indicates it is a `token`. - My understanding is that it is an endpoint defined in `Reporting-Endpoints` or a groupname in `Report-To` - is this correct? Can Firefox support both (it seems so in https://bugzilla.mozilla.org/show_bug.cgi?id=1860588) - Token implies it might also be an absolute or relative URL. Is that possible, and if so, does FF allow that?
FF130 MDN docs work for this can be tracked in https://github.com/mdn/content/issues/35279 It is a bit confusing about what is delivered by this (and related issues such as https://bugzilla.mozilla.org/show_bug.cgi?id=1860588 and https://bugzilla.mozilla.org/show_bug.cgi?id=1620573) particularly because there is significant cross-over between the CSP and Reporting API specs. Can you outline what Firefox supports now in this area. Here is what I "think" is true. 1. This change and the reporting API is all behind `dom.reporting.enabled` - Does browser gate parsing of `Reporting-Endpoints` on this pref too? 2. We no longer use the `dom.reporting.header.enabled` pref to gate headers for this and related features. 3. The reporting API was (prior to this issue) all implemented to legacy v0 behind `dom.reporting.enabled`. - It supported [report-uri](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri) directive for setting the endpoint URI for reports. 4. Following this issue (and https://bugzilla.mozilla.org/show_bug.cgi?id=1860588) we support: - `Report-To` header - `Reporting-Endpoints` header - CSP [report-uri](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri) directive - CSP [`report-to`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to) directive (behind pref) - [`CSPViolationReportBody`](https://developer.mozilla.org/en-US/docs/Web/API/CSPViolationReportBody) behind pref 5. We also support these reporting APIs behind same pref, but for much longer: `DeprecationReportBody`, `InterventionReportBody`, `Report`, `ReportBody`, `ReportError`, `ReportingObserver` Is that all correct? ^^^ A few technical queries around the spec: 6. CSP directive [`report-to`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to) - Can it also be used with [`Content-Security-Policy-Report-Only`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only)? - The reporting API indicates this directive is also usable with other headers such as `Document-Policy`. - What other headers, if any can it be used with by FF? - Is there a list of things it "might" be used with? (i.e. allowed by specifications_?? (such as [Cross-Origin-Embedder-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy) ) - What other reports do we support, such as deprecation reports (which would have the endpoint type "default"). 7. The Reporting spec says that the `report-to` directive value is an `endpoint`, while the CSP spec indicates it is a `token`. - My understanding is that it is an endpoint defined in `Reporting-Endpoints` or a groupname in `Report-To` - is this correct? Can Firefox support both (it seems so in https://bugzilla.mozilla.org/show_bug.cgi?id=1860588) - Token implies it might also be an absolute or relative URL. Is that possible, and if so, does FF allow that?
FF130 MDN docs work for this can be tracked in https://github.com/mdn/content/issues/35279 It is a bit confusing about what is delivered by this (and related issues such as https://bugzilla.mozilla.org/show_bug.cgi?id=1860588 and https://bugzilla.mozilla.org/show_bug.cgi?id=1620573) particularly because there is significant cross-over between the CSP and Reporting API specs. Can you outline what Firefox supports now in this area. Here is what I "think" is true. 1. This change and the reporting API is all behind `dom.reporting.enabled` - Does browser gate parsing of HTTP headers as well as APIs on the pref? E.g. for `Report-To`, `Reporting-Endpoints` Headers and the CSP `report-to`? 2. We no longer use the `dom.reporting.header.enabled` pref to gate headers for this and related features. 3. The reporting API was (prior to this issue) all implemented to legacy v0 behind `dom.reporting.enabled`. - It supported [report-uri](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri) directive for setting the endpoint URI for reports. 4. Following this issue (and https://bugzilla.mozilla.org/show_bug.cgi?id=1860588) we support: - `Report-To` header - `Reporting-Endpoints` header - CSP [report-uri](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri) directive - CSP [`report-to`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to) directive (behind pref) - [`CSPViolationReportBody`](https://developer.mozilla.org/en-US/docs/Web/API/CSPViolationReportBody) behind pref 5. We also support these reporting APIs behind same pref, but for much longer: `DeprecationReportBody`, `InterventionReportBody`, `Report`, `ReportBody`, `ReportError`, `ReportingObserver` Is that all correct? ^^^ A few technical queries around the spec: 6. CSP directive [`report-to`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to) - Can it also be used with [`Content-Security-Policy-Report-Only`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only)? - The reporting API indicates this directive is also usable with other headers such as `Document-Policy`. - What other headers, if any can it be used with by FF? - Is there a list of things it "might" be used with? (i.e. allowed by specifications_?? (such as [Cross-Origin-Embedder-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy) ) - What other reports do we support, such as deprecation reports (which would have the endpoint type "default"). 7. The Reporting spec says that the `report-to` directive value is an `endpoint`, while the CSP spec indicates it is a `token`. - My understanding is that it is an endpoint defined in `Reporting-Endpoints` or a groupname in `Report-To` - is this correct? Can Firefox support both (it seems so in https://bugzilla.mozilla.org/show_bug.cgi?id=1860588) - Token implies it might also be an absolute or relative URL. Is that possible, and if so, does FF allow that?
FF130 MDN docs work for this can be tracked in https://github.com/mdn/content/issues/35279 It is a bit confusing about what is delivered by this (and related issues such as https://bugzilla.mozilla.org/show_bug.cgi?id=1860588 and https://bugzilla.mozilla.org/show_bug.cgi?id=1620573) particularly because there is significant cross-over between the CSP and Reporting API specs. Can you outline what Firefox supports now in this area. Here is what I "think" is true. 1. This change and the reporting API is all behind `dom.reporting.enabled` - Does browser gate parsing of HTTP headers as well as APIs on the pref? E.g. for `Report-To`, `Reporting-Endpoints` Headers and the CSP `report-to`? 2. We no longer use the `dom.reporting.header.enabled` pref to gate headers for this and related features. 3. The reporting API was (prior to this issue) all implemented to legacy v0 behind `dom.reporting.enabled`. - It supported [report-uri](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri) directive for setting the endpoint URI for reports. 4. Following this issue (and https://bugzilla.mozilla.org/show_bug.cgi?id=1860588) we support: - `Report-To` header - `Reporting-Endpoints` header - CSP [report-uri](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri) directive - CSP [`report-to`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to) directive (behind pref) - [`CSPViolationReportBody`](https://developer.mozilla.org/en-US/docs/Web/API/CSPViolationReportBody) behind pref 5. We also support these reporting APIs behind same pref, but for much longer: `DeprecationReportBody`, `InterventionReportBody`, `Report`, `ReportBody`, `ReportError`, `ReportingObserver` Is that all correct? ^^^ A few technical queries around the spec: 6. CSP directive [`report-to`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to) - Can it also be used with [`Content-Security-Policy-Report-Only`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only)? - The reporting API indicates this directive is also usable with other headers such as `Document-Policy`. - What other headers, if any can it be used with by FF? - Is there a list of things it "might" be used with? (i.e. allowed by specifications_?? (such as [Cross-Origin-Embedder-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy) ) - What other reports do we support, such as deprecation reports (which would have the endpoint type "default"). 7. The Reporting spec says that the `report-to` directive value is an `endpoint`, while the CSP spec indicates it is a `token`. - My understanding is that it is an endpoint defined in `Reporting-Endpoints` or a groupname in `Report-To` - is this correct? Can Firefox support both (it seems so in https://bugzilla.mozilla.org/show_bug.cgi?id=1860588) - Token implies it might also be an absolute or relative URL. Is that possible, and if so, does FF allow that? - Using the HTTP Report-To header means I can specify multiple urls to be associated with a group. With `Reporting-Endpoints` I can just specify one URL. Can you declare `report-to` directive multiple times to specify different reporting targets for different CSP violations? Or to have a backup URL if you wanted? If so, how?
FF130 MDN docs work for this can be tracked in https://github.com/mdn/content/issues/35279 It is a bit confusing about what is delivered by this (and related issues such as https://bugzilla.mozilla.org/show_bug.cgi?id=1860588 and https://bugzilla.mozilla.org/show_bug.cgi?id=1620573) particularly because there is significant cross-over between the CSP and Reporting API specs. Can you outline what Firefox supports now in this area. Here is what I "think" is true. 1. This change and the reporting API is all behind `dom.reporting.enabled` - Does browser gate parsing of HTTP headers as well as APIs on the pref? E.g. for `Report-To`, `Reporting-Endpoints` Headers and the CSP `report-to`? 2. We no longer use the `dom.reporting.header.enabled` pref to gate headers for this and related features. 3. The reporting API was (prior to this issue) all implemented to legacy v0 behind `dom.reporting.enabled`. - It supported [report-uri](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri) directive for setting the endpoint URI for reports. 4. Following this issue (and https://bugzilla.mozilla.org/show_bug.cgi?id=1860588) we support: - `Report-To` header - `Reporting-Endpoints` header - CSP [report-uri](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri) directive - CSP [`report-to`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to) directive (behind pref) - [`CSPViolationReportBody`](https://developer.mozilla.org/en-US/docs/Web/API/CSPViolationReportBody) behind pref 5. We also support these reporting APIs behind same pref, but for much longer: `DeprecationReportBody`, `InterventionReportBody`, `Report`, `ReportBody`, `ReportError`, `ReportingObserver` Is that all correct? ^^^ A few technical queries around the spec: 6. CSP directive [`report-to`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to) - Can it also be used with [`Content-Security-Policy-Report-Only`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only)? - The reporting API indicates this directive is also usable with other headers such as `Document-Policy`. - What other headers, if any can it be used with by FF? - Is there a list of things it "might" be used with? (i.e. allowed by specifications_?? (such as [Cross-Origin-Embedder-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy) ) - What other reports do we support, such as deprecation reports (which would have the endpoint type "default"). 7. The Reporting spec says that the `report-to` directive value is an `endpoint`, while the CSP spec indicates it is a `token`. - My understanding is that it is an endpoint defined in `Reporting-Endpoints` or a groupname in `Report-To` - is this correct? Can Firefox support both (it seems so in https://bugzilla.mozilla.org/show_bug.cgi?id=1860588) - Token implies it might also be an absolute or relative URL. Is that possible, and if so, does FF allow that? - Using the HTTP Report-To header means I can specify multiple urls to be associated with a group. With `Reporting-Endpoints` I can just specify one URL. Can you declare `report-to` directive multiple times to specify different reporting targets for different CSP violations? Or to have a backup URL if you wanted? If so, how? What I'm getting at here is the text in [Reporting API](https://developer.mozilla.org/en-US/docs/Web/API/Reporting_API#origins_and_endpoints) which says that we report to groups for load balancing, but the `Reporting-Endpoints` doesn't seem to care about that: > The endpoints are arranged into groups; an endpoint group can work together to provide load balancing (each endpoint will receive a specified proportion of report traffic) and safeguarding against failure (fallback endpoints can be specified to use if the primary ones fail).
FF130 MDN docs work for this can be tracked in https://github.com/mdn/content/issues/35279 EDIT, note, I'm clearing my request for information. After extensive testing I think I know how this works. If I'm wrong we can correct in a post process.