Add an example combining X-XSS-Protection with Reporting API

Question

Add an example combining X-XSS-Protection with Reporting API

summercms opened this issue 4 years ago · 3 comments

Link here: https://github.com/h5bp/server-configs-apache/blob/master/src/security/x-xss-protection.conf

Currently have this example:

Header set X-XSS-Protection "1; mode=block" "expr=%{CONTENT_TYPE} =~ m#text/html#i"

But it doesn't contain or show an example with the reporting api.

Going to take a wild guess and create something?

Header set X-XSS-Protection "1; mode=block; report=\"https://example.report-uri.com/r/d/xss/enforce\"" "expr=%{CONTENT_TYPE} =~ m#text/html#i"

Please let me know if that's correct or not and also please add a working example to your file.

Answer 1 · 2020-01-23T21:30:27.000Z

Thanks for opening this issue @ayumi-cloud.

example with the reporting api

Not sure of which API you're referring to, but Reporting API is still under development.
The Reporting API has also a much more precise syntax:

Report-To: { "group": "csp-endpoint",
             "max_age": 10886400,
             "endpoints": [
               { "url": "https://example.com/csp-reports" }
             ] },
           { "group": "hpkp-endpoint",
             "max_age": 10886400,
             "endpoints": [
               { "url": "https://example.com/hpkp-reports" }
             ] }
Content-Security-Policy: ...; report-to csp-endpoint

create something

We aim keeping example simple and working as much as possible, and referring to official and/or complete guides to let users going further.

add a working example to your file

That's the thing, the reporting endpoint is different for each user, an example can't work out of the box.

Answer 2 · 2020-01-24T21:10:25.000Z

@LeoColomb please can you not close an issue due to lack of understanding, just request for more info.

Here's a direct link for more info: https://docs.report-uri.com/setup/xxp/

As you can see clearly there is an example for .htaccess with reporting api:

Header set X-Xss-Protection "1; mode=block; report=https://{subdomain}.report-uri.com/r/d/xss/enforce"

Your current code says this:

Header set X-XSS-Protection "1; mode=block" "expr=%{CONTENT_TYPE} =~ m#text/html#i"

So I'm trying to merge the two together, hence I gave you an example here:

Header set X-XSS-Protection "1; mode=block; report=\"https://example.report-uri.com/r/d/xss/enforce\"" "expr=%{CONTENT_TYPE} =~ m#text/html#i"

Please consider re-looking into this matter now.

Answer 3 · 2020-01-26T12:16:18.000Z

reporting api

I'm sorry but your examples are not really about what web standards call Reporting API...

report="https://example.report-uri.com/r/d/xss/enforce\"

That's handy indeed, but:

It won't work out of the box (don't forget this repo contain working configuration files, often used as-is).
You're promoting a specific and named service (which is very nice, but not the only one).
It is not mandatory to have XXP working.

Anyway, like #208, don't hesitate to improve documentation with a PR.