Add an example combining X-XSS-Protection with Reporting API
summercms opened this issue · 3 comments
Link here: https://github.com/h5bp/server-configs-apache/blob/master/src/security/x-xss-protection.conf
Currently have this example:
Header set X-XSS-Protection "1; mode=block" "expr=%{CONTENT_TYPE} =~ m#text/html#i"
But it doesn't contain or show an example with the reporting api.
Going to take a wild guess and create something?
Header set X-XSS-Protection "1; mode=block; report=\"https://example.report-uri.com/r/d/xss/enforce\"" "expr=%{CONTENT_TYPE} =~ m#text/html#i"
Please let me know if that's correct or not and also please add a working example to your file.
Thanks for opening this issue @ayumi-cloud.
example with the reporting api
Not sure of which API you're referring to, but Reporting API is still under development.
The Reporting API has also a much more precise syntax:
Report-To: { "group": "csp-endpoint",
"max_age": 10886400,
"endpoints": [
{ "url": "https://example.com/csp-reports" }
] },
{ "group": "hpkp-endpoint",
"max_age": 10886400,
"endpoints": [
{ "url": "https://example.com/hpkp-reports" }
] }
Content-Security-Policy: ...; report-to csp-endpoint
create something
We aim keeping example simple and working as much as possible, and referring to official and/or complete guides to let users going further.
add a working example to your file
That's the thing, the reporting endpoint is different for each user, an example can't work out of the box.
@LeoColomb please can you not close an issue due to lack of understanding, just request for more info.
Here's a direct link for more info: https://docs.report-uri.com/setup/xxp/
As you can see clearly there is an example for .htaccess
with reporting api:
Header set X-Xss-Protection "1; mode=block; report=https://{subdomain}.report-uri.com/r/d/xss/enforce"
Your current code says this:
Header set X-XSS-Protection "1; mode=block" "expr=%{CONTENT_TYPE} =~ m#text/html#i"
So I'm trying to merge the two together, hence I gave you an example here:
Header set X-XSS-Protection "1; mode=block; report=\"https://example.report-uri.com/r/d/xss/enforce\"" "expr=%{CONTENT_TYPE} =~ m#text/html#i"
Please consider re-looking into this matter now.
reporting api
I'm sorry but your examples are not really about what web standards call Reporting API...
That's handy indeed, but:
- It won't work out of the box (don't forget this repo contain working configuration files, often used as-is).
- You're promoting a specific and named service (which is very nice, but not the only one).
- It is not mandatory to have XXP working.
Anyway, like #208, don't hesitate to improve documentation with a PR.