I'm setting up a content security policy in report-only mode. When I test it, Google Chrome gives this error:
The Content Security Policy 'default-src 'self'; script-src 'self' 'unsafe-inline' https: //use.typekit.com https://js.hs-analytics.net https://google-analytics.com https://ajax.googleapis.com; font-src https: //use.typekit.com; style-src 'self' 'unsafe-inline' https: //use.typekit.com; frame-src https: //www.youtube.com;' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
Here is my full Content Security Policy, I define the HTTP header in a header PHP file for the website:
header("Content-Security-Policy-Report-Only: default-src 'self';
script-src 'self' 'unsafe-inline' https://use.typekit.com https://js.hs-analytics.net https://google-analytics.com https://ajax.googleapis.com;
font-src https://use.typekit.com;
style-src 'self' 'unsafe-inline' https://use.typekit.com;
frame-src https://www.youtube.com;
report-uri /csp-violations-report-endpoint;
");
I have a folder in the web root directory: csp-violations-report-endpoint, with a single index.php file inside of it to handle the violation.
I'm not sure what I'm doing wrong. I've read MDN's suggestions for report-uri and used Google's example to write my report-uri directive.
Should I try pointing the report-uri
to a script in the root directory? Should I try letting it log on its own, or do I need a parser to handle it? Could there be something wrong with my script? (I can include that if it would be of help)
Edit: It may be possible that my web browser is ignoring the report-uri
directive (since it's deprecated) and is expecting the report-to
directive, and that is why it's not working but the error message leads me to believe that isn't the case.
I might be completely off base, but, if you're using the code exactly as pictured above, then you are likely sending a bunch of invalid headers. HTTP Headers have to exist on a single line, and yours does not. Try this:
header(
"Content-Security-Policy-Report-Only: default-src 'self'; " .
"script-src 'self' 'unsafe-inline' https://use.typekit.com https://js.hs-analytics.net https://google-analytics.com https://ajax.googleapis.com; " .
"font-src https://use.typekit.com; " .
"style-src 'self' 'unsafe-inline' https://use.typekit.com; " .
"frame-src https://www.youtube.com; " .
"report-uri /csp-violations-report-endpoint; "
);