Proposal: replacement for deprecated report-uri for content_security_policy

[carlosjeurissen]

Issue

Currently CSP reports can be received using the report-uri directive of the CSP. report-uri however is currently deprecated. See CSP: report-uri on MDN.

Solution

Thus if we want to keep this functionality for webExtensions, we need to provide an alternative. For CSP on websites, the alternative is the report-to directive. For extensions we should be able to define report-to groups. This could either be defined using two potential syntaxes.

Syntax 1

a new manifest key report_to like this:

{
  "report_to": [{
    "group": "endpoint-1",
    "max_age": 10886400,
    "endpoints": [
      { "url": "https://example.com/reports" },
      { "url": "https://backup.com/reports" }
    ]
  }]
}

Syntax 2

Or we add it to the content_security_policy property like this:

{
  "content_security_policy": {
    "extension_pages": "default-src 'none'; report-to endpoint-1",
    "report_to":  [{
      "group": "endpoint-1",
      "max_age": 10886400,
      "endpoints": [
        { "url": "https://example.com/reports" },
        { "url": "https://backup.com/reports" }
      ]
    }]
  }
}

Additional info

Syntax 1 has the added benefit of potentially allowing other reports to be collected in the future in case we want to add support for them like adding support for Document-Policy reports.

[xeenon]

This proposal sounds good to me for Safari. If we went with proposal 1, I'd like to propose policy_reports or policy_report_to as the key to be more specific about what it is. For proposal 2, it is fine to keep the report_to key name since it is scoped to content_security_policy.

[carlosjeurissen]

@xeenon Would also work. The reason I proposed report_to is the fact it matches the HTTP header just like content_security_policy does. See:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to