Disable output of "upgrade-insecure-requests" in "report only" mode

Question

Disable output of "upgrade-insecure-requests" in "report only" mode

Opened this issue 6 years ago · 3 comments

If you have run both csp.SetUpgradeInsecureRequests(); and csp.SetReportOnly();, a warning will be shown in the console of dev tools in the browser:

I suggest to disable output of this directive when in "report only" mode, to avoid this warning.

Answer 1 · 2019-05-03T13:04:40.000Z

Hmm, thanks for reporting this. I've usually not wanted to implement too many of these kinds of behaviours into the library as these can change.
If this is implemented, I'd prefer an exception was thrown if both are defined.

Answer 2 · 2019-05-03T13:11:26.000Z

If this is implemented, I'd prefer an exception was thrown if both are defined.

It's your call, but I'd vote for a more passive approach. Let's say that someone would like to enable this directive, but first play around in report only mode, as per the recommendation.
Then, in order not to get a runtime error, you'd have to comment out the directive call, or even delete it, if the company policy dictates that no "dead" code should exist.

Imagine then, that (much) later, someone else picks up the code, with the intention of going to live enforce mode. What's the odds for that person to remember, or even know, that the additional directive should be enabled at the same time?

Answer 3 · 2019-05-07T17:24:06.000Z

Right, good points 👍