[Webkit-unassigned] [Bug 192857] CSP Endpoint must be whitelisted in connect-src

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Dec 19 10:44:26 PST 2018


https://bugs.webkit.org/show_bug.cgi?id=192857

--- Comment #3 from Scott Helme <scotthelme at hotmail.com> ---
Hey everyone, 

Just dropping by to say I can repro this in latest Safari, screenshot attached. 

This behaviour is not present in latest Edge, Chrome or Firefox.

If you want a test page for this issue you can try: https://scotthelme.co.uk/csp-demo/

I run Report URI (https://report-uri.com) and we process billions of reports per month for our customers. Advising them to open up a connect-src to us really isn't something we want to do. I feel it'd be a lot better if they didn't need to whitelist us at all and CSP reports were sent outside of the requirement to whitelisted in the CSP as they are in other browsers.

This is also somewhat problematic because if the CSP endpoint is required to be whitelisted in the connect-src (or default-src) then violating it and blocking the request, which it does, should cause a CSP report to be sent, which it doesn't! 

Cheers, 

Scott.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20181219/0ed392d5/attachment.html>


More information about the webkit-unassigned mailing list