secure_headers icon indicating copy to clipboard operation
secure_headers copied to clipboard
verified publisher icon github

CSP Report-uri deprecated, replaced by report-to

Open martindaehn23 opened this issue 2 years ago • 1 comments

Adding a new CSP directive

Report-uri seems to be depricated: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri Instead we want to use both, report-uri and report-to, to be future proof and backward compatible.

  • Is the directive supported by any user agent? If so, which? https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to
  • Chrome
  • Edge
  • Opera

  • What does it do? Used to substitute report-uri.

  • What are the valid values for the directive? Content-Security-Policy: report-to ;

martindaehn23 avatar Oct 05 '23 08:10 martindaehn23

For additional context: The new report-to directive requires the Reporting-Endpoints HTTP header to define reporting endpoints (see W3C Reporting API spec and MDN docs).

Rails has an open PR (#52367) for Reporting API support, likely targeting Rails 8.1.

Both report-uri (deprecated) and report-to can coexist for backward compatibility during the transition period.

tmaier avatar Oct 22 '25 20:10 tmaier