Menu
I´m using the following CSP on a php website and everything works fine except the reporting in Chrome, that obviously uses the report-to endpoint like edge does:
header("Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; report-to csp-endpoint; report-uri https://domain.tld/csp-report/index.php;");
This is my report-to group:
header("Report-To: { \"group\": \"csp-endpoint\", \"max_age\": 10886400, \"endpoints\": [ { \"url\": \"https://domain.tld/csp-report/index.php\" } ] }");
The json of Report-To in the header seems to be valid, I also tried single quotes instead of escaped double quotes. I ensured to use a valid, not self-signed SSL cert. I tested different spelling and searched the web. I also found an article here, that report-to is buggy in chrome, but that was v86, now I use v106. Thx for your help.
P.S. I know that reports to report-uri and report-to are slightly different. I considered that an my csp-reports/index.php is able to process reports of both kinds. I tested that via insomnia.
538
asked Oct 21 '25 01:10
The Reporting API's works only under secure contexts(refer https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts).
While localhost is considered as secured context , the "Reporting-API" still doesn't supports it.
Try on staging or prod environments and it will start working.
111
answered Oct 22 '25 14:10
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With