Closed
Bug 1439797
Opened 6 years ago
Closed 6 years ago
Enable reporting-only CSP by default
Categories
(bugzilla.mozilla.org :: General, enhancement)
Tracking
()
RESOLVED
FIXED
People
(Reporter: dylan, Assigned: dylan)
Details
Attachments
(1 file)
I was chatting with April today about blockers in finishing CSP for BMO, and one thing that came out of it was using CSP in report-only mode can be a help debugging aid. Then later in a chat with bobm, report-only CSP came up again. The library I wrote for this supports report-only mode. So I think I will swap out the "default disabled" logic for "default report". I'll also add csp nonces to every <script> tag, which means the only things in the error console should be javascript: links and inline onEVENT= handlers.
Assignee | ||
Updated•6 years ago
|
Assignee: nobody → dylan
Assignee | ||
Updated•6 years ago
|
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 1•6 years ago
|
||
Attachment #8952821 -
Flags: review+
Comment 2•6 years ago
|
||
What endpoint are you using to send the CSP reports to? Something Bugzilla specific, or something that other services could use too? :-)
You need to log in
before you can comment on or make changes to this bug.
Description
•