Handle X-XSS-Protection violation reports

[reedloden]

Similar to #729 and #2165, WebKit (and Chrome) also supports a non-standard report addition to X-XSS-Protection (https://bugs.webkit.org/show_bug.cgi?id=100892) that will send a JSON-based report to a URI for any violations.

See https://gist.github.com/spaze/c91b692fc988ff1d13e8 for an example. You can see a live example on https://www.youtube.com.

Would be nice to support it in Sentry. :)

cc @mattrobenolt again.

[mattrobenolt]

Oh boy, this is neat. :)

I think I'm going to refactor the CSP stuff I did to accept these arbitrary reports rather than being locked into how I structured CSP.

Thanks for this guidance! Really appreciated.

[mattrobenolt]

btw @reedloden, are you guys using Sentry at HackerOne? You can email me personally if you want to chat, or hip in IRC #sentry.

[reedloden]

@alex-hofsteede Here's another one. It's a different format than the others, sadly.

[reedloden]

These reports being implemented elsewhere: https://scotthelme.co.uk/introducing-xss-reporting-to-report-uri/

Would love to get support in Sentry for them.

[tfoel]

Sentry is already better in terms of GDPR compliance than report-uri (see above) - so it would indeed be great to have support for such reportings. There's also CSP, Expect-CT that could be handled.

[BYK]

Closing this issue due to staleness. Feel free to comment here if you think we should still work on this.