Behind-a-flag Reporting API implementation is dated
Categories
(Core :: DOM: Core & HTML, task, P3)
Tracking
()
People
(Reporter: annevk, Unassigned)
References
(Depends on 1 open bug, Blocks 2 open bugs)
Details
(Whiteboard: [domsecurity-backlog2])
Since bug 1492036 https://w3c.github.io/reporting/ has changed quite a bit. Seems good to fix bug 1507280 as part of aligning this.
(There's also a question as to where this fits on the roadmap as only CSP can really use it at this point I think and that already has its own infrastructure.)
standards-positions: https://github.com/mozilla/standards-positions/issues/104.
|
||
Updated•5 years ago
|
|
||
Updated•2 years ago
|
|
||
Updated•1 year ago
|
|
|
||
Comment 1•11 months ago
|
||
To provide more context here. We support the V0 version of Reporting API, and we need to implement the V1 version.
Here's an comparison between V0 and V1
Report-To: { group: "main-endpoint", "max_age": 86400, "endpoints": [ { "url": ... }, { "url": ... }] }, { group: "default-endpoint", "max_age": 86400, "endpoints": [ { "url": ... }, { "url": ... }] }
Document-Policy: ...; report-to main-endpoint
V1 works as
Reporting-Endpoints: end-point="https://reports.example/main"
Document-Policy: ...; report-to end-point
|
||
Comment 2•10 months ago
|
||
I think this issue on the spec is also quite relevant:
Clarifying behavior when both Reporting-Endpoints and Report-To headers are provided? #267
From my understanding, the current expectation for response headers is that only Report-To or Reporting-Endpoints will be present - not both, and that Reporting-Endpoints should be prioritized in the scenario where both are present. However, the current reporting API specification isn't very clear about this behavior. Could the document be updated to more explicitly define this behavior?
Description
•