Add support for reporting endpoints headers
robhudson opened this issue · 0 comments
I would like to propose the addition of support for the report-to
directive by adding a new header Reporting-Endpoints
and/or Report-To
in addition to the Content-Security-Policy
header.
The report-to
CSP directive is already supported but will only work in combination with the Reporting-Endpoints
or Report-To
headers. Current support leaves defining this header up to the end user. I would like to discuss adding support in django-csp to define and set either of these headers.
Configuration Example:
CONTENT_SECURITY_POLICY = {
"REPORTING_ENDPOINTS": {
"csp-endpoint": "https://example.com/csp-reports",
"hpkp-endpoint": "https://example.com/hpkp-reports",
},
"REPORT_TO": [
{
"group": "csp-endpoint",
"max_age": 10886400,
"endpoints": [
{"url": "https://example.com/csp-reports"},
{"url": "https://backup.example.com/csp-reports"},
]
},
{
"group": "hpkp-endpoint",
"max_age": 10886400,
"endpoints": [
{"url": "https://example.com/hpkp-reports"}
]
},
],
"DIRECTIVES": {
...,
"report-to": "csp-endpoint",
}
}
This would output the following HTTP headers:
Reporting-Endpoints: csp-endpoint="https://example.com/csp-reports",
hpkp-endpoint="https://example.com/hpkp-reports"
Report-To: { "group": "csp-endpoint",
"max_age": 10886400,
"endpoints": [
{ "url": "https://example.com/csp-reports" },
{ "url": "https://backup.example.com/csp-reports" }
] },
{ "group": "hpkp-endpoint",
"max_age": 10886400,
"endpoints": [
{ "url": "https://example.com/hpkp-reports" }
] }
Content-Security-Policy: ...; report-to csp-endpoint
There are conflicting standards at the moment, and as such, it would make sense to add support for the Report-To
header initially. Support for the Reporting-Endpoints
header could be added once the specification moves beyond a draft and browser support starts to be added.
-
Report-To
The
Report-To
header is used to define a group of reporting endpoints and the conditions under which reports should be sent to those endpoints. It allows specifying multiple endpoints, the maximum age for the configuration, and the types of reports to be sent. Seems to be currently supported by most browsers except Firefox. -
Reporting-Endpoints
The
Reporting-Endpoints
header is a newer, simpler alternative to theReport-To
header. It directly maps names to reporting endpoints without the additional configuration options provided byReport-To
. Seems to be a W3C draft at the moment with no browser support
Arguments Against
There could be arguments made that this is beyond the scope of django-csp since, as shown in the above example, the reporting endpoints can also define other endpoints, such as the HTTP Public Key Pinning (HPKP) endpoints.
References: