Enable reporting-only CSP by default

RESOLVED FIXED

Status

()

RESOLVED FIXED
a year ago
a year ago

People

(Reporter: dylan, Assigned: dylan)

Tracking

Production

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

PR
45 bytes, text/x-github-pull-request
dylan
: review+
Details | Review | Splinter Review
I was chatting with April today about blockers in finishing CSP for BMO, and one thing that came out of it was using CSP in report-only mode can be a help debugging aid. 

Then later in a chat with bobm, report-only CSP came up again. The library I wrote for this supports report-only mode.

So I think I will swap out the "default disabled" logic for "default report". I'll also add csp nonces to every <script> tag, which means the only things in the error console should be javascript: links and inline onEVENT= handlers.
(Assignee)

Updated

a year ago
Assignee: nobody → dylan
(Assignee)

Updated

a year ago
Status: NEW → RESOLVED
Last Resolved: a year ago
Resolution: --- → FIXED
(Assignee)

Comment 1

a year ago
Posted file PR
Attachment #8952821 - Flags: review+
What endpoint are you using to send the CSP reports to? Something Bugzilla specific, or something that other services could use too? :-)
You need to log in before you can comment on or make changes to this bug.