Add support for reporting endpoints headers

Question

Add support for reporting endpoints headers

robhudson opened this issue 2 months ago · 0 comments

I would like to propose the addition of support for the report-to directive by adding a new header Reporting-Endpoints and/or Report-To in addition to the Content-Security-Policy header.

The report-to CSP directive is already supported but will only work in combination with the Reporting-Endpoints or Report-To headers. Current support leaves defining this header up to the end user. I would like to discuss adding support in django-csp to define and set either of these headers.

Configuration Example:

CONTENT_SECURITY_POLICY = {
    "REPORTING_ENDPOINTS": {
        "csp-endpoint": "https://example.com/csp-reports",
        "hpkp-endpoint": "https://example.com/hpkp-reports",
    },
    "REPORT_TO": [
        {
            "group": "csp-endpoint",
            "max_age": 10886400,
            "endpoints": [
                {"url": "https://example.com/csp-reports"},
                {"url": "https://backup.example.com/csp-reports"},
            ]
        },
        {
            "group": "hpkp-endpoint",
            "max_age": 10886400,
            "endpoints": [
                {"url": "https://example.com/hpkp-reports"}
            ]
        },
    ],
    "DIRECTIVES": {
        ...,
        "report-to": "csp-endpoint",
    }
}

This would output the following HTTP headers:

Reporting-Endpoints: csp-endpoint="https://example.com/csp-reports",
                     hpkp-endpoint="https://example.com/hpkp-reports"
Report-To: { "group": "csp-endpoint",
              "max_age": 10886400,
              "endpoints": [
                { "url": "https://example.com/csp-reports" },
                { "url": "https://backup.example.com/csp-reports" }
              ] },
            { "group": "hpkp-endpoint",
              "max_age": 10886400,
              "endpoints": [
                { "url": "https://example.com/hpkp-reports" }
              ] }
Content-Security-Policy: ...; report-to csp-endpoint

There are conflicting standards at the moment, and as such, it would make sense to add support for the Report-To header initially. Support for the Reporting-Endpoints header could be added once the specification moves beyond a draft and browser support starts to be added.

Report-To

The Report-To header is used to define a group of reporting endpoints and the conditions under which reports should be sent to those endpoints. It allows specifying multiple endpoints, the maximum age for the configuration, and the types of reports to be sent. Seems to be currently supported by most browsers except Firefox.
Reporting-Endpoints

The Reporting-Endpoints header is a newer, simpler alternative to the Report-To header. It directly maps names to reporting endpoints without the additional configuration options provided by Report-To. Seems to be a W3C draft at the moment with no browser support

Arguments Against

There could be arguments made that this is beyond the scope of django-csp since, as shown in the above example, the reporting endpoints can also define other endpoints, such as the HTTP Public Key Pinning (HPKP) endpoints.

References: