Contact emails
Spec
SummaryThe `report-to` directive wires CSP violation reports up to the Reporting API (
https://wicg.github.io/reporting/), and deprecates the existing `report-uri` directive.
`Content-Security-Policy: script-src 'self'; report-to default` will queue violation reports into the reporting group named "default", and the browser will deliver them in a batch, along with other reports from other APIs.
Motivation
CSP's existing `report-uri` mechanism is fairly naive with regard to it's behavior on the network. We send one POST per violation, which means that we're sending a _lot_ of requests in aggregate. `report-to` uses the Reporting API to batch up violation reports, and send them out of band, whenever the device is happiest sending reports. It should be friendlier overall, and gives us a path to deprecating `report-uri` in the future.
Interoperability risk
Firefox: No public signals
Edge: No public signals
Safari: No public signals
Web developers: No signals
Folks generally seem enthusiastic about the reporting API, but I don't think any vendors in WebAppSec WG have taken a close look at `report-to` yes. Hopefully this intent will give them reason to do so. :)
Testing, however, is going to be difficult. Since part of the benefit of this feature is that reports are delivered in browser-controlled batches, out of band, it's going to be difficult to write web platform tests that verify much of anything. `setTimeout(verifyReportReceived, 10000000)` doesn't sound exciting. This isn't unique to CSP, however; any feature that uses this mechanism is going to have similar troubles. We'll have to put our heads together to see what we can do to ensure interop.
Compatibility risk
The `report-to` directive is specified as overriding the `report-uri` directive, so developers can support both older and newer browsers by using both in a policy. This means that we should be able to both support a gradual migration from one to the other, and if we decide that this was a terrible idea and should throw the whole thing away, we'll be able to do so without breaking anyone.
Ongoing technical constraints
None
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
Yes
OWP launch tracking bug
Link to entry on Chrome Platform Status
Requesting approval to ship?
No (if all goes well, we'll aim to ship this at the same time the Reporting API itself ships).
-mike