Closed Bug 1439797 Opened 6 years ago Closed 6 years ago

Enable reporting-only CSP by default

Categories

(bugzilla.mozilla.org :: General, enhancement)

Product:
bugzilla.mozilla.org
Component:
General
Version:
Production
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: dylan, Assigned: dylan)

Details

Attachments

(1 file)

PR
45 bytes, text/x-github-pull-request
dylan
: review+
Details | Review 
I was chatting with April today about blockers in finishing CSP for BMO, and one thing that came out of it was using CSP in report-only mode can be a help debugging aid. 

Then later in a chat with bobm, report-only CSP came up again. The library I wrote for this supports report-only mode.

So I think I will swap out the "default disabled" logic for "default report". I'll also add csp nonces to every <script> tag, which means the only things in the error console should be javascript: links and inline onEVENT= handlers.
Assignee: nobody → dylan
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Attached file PR 

        Attachment #8952821 -
        Flags: review+

    
    

    
  
What endpoint are you using to send the CSP reports to? Something Bugzilla specific, or something that other services could use too? :-)

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: