Closed Bug 1439797 Opened 8 years ago Closed 8 years ago

Enable reporting-only CSP by default

Categories

(bugzilla.mozilla.org :: General, enhancement)

Product:
bugzilla.mozilla.org
Component:
General
Version:
Production
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: dylan, Assigned: dylan)

References

Details

Attachments

(1 file)

PR
45 bytes, text/x-github-pull-request
dylan
: review+
Details | Review
I was chatting with April today about blockers in finishing CSP for BMO, and one thing that came out of it was using CSP in report-only mode can be a help debugging aid. Then later in a chat with bobm, report-only CSP came up again. The library I wrote for this supports report-only mode. So I think I will swap out the "default disabled" logic for "default report". I'll also add csp nonces to every <script> tag, which means the only things in the error console should be javascript: links and inline onEVENT= handlers.
Assignee: nobody → dylan
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Attached file PR
Attachment #8952821 - Flags: review+
What endpoint are you using to send the CSP reports to? Something Bugzilla specific, or something that other services could use too? :-)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: