phpparsingsecurityhttp-headerscontent-security-policy

Content Security Policy report-uri is not being recognized


I'm setting up a content security policy in report-only mode. When I test it, Google Chrome gives this error:

The Content Security Policy 'default-src 'self'; script-src 'self' 'unsafe-inline' https: //use.typekit.com https://js.hs-analytics.net https://google-analytics.com https://ajax.googleapis.com; font-src https: //use.typekit.com; style-src 'self' 'unsafe-inline' https: //use.typekit.com; frame-src https: //www.youtube.com;' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.

Here is my full Content Security Policy, I define the HTTP header in a header PHP file for the website:

header("Content-Security-Policy-Report-Only: default-src 'self'; 
        script-src 'self' 'unsafe-inline' https://use.typekit.com https://js.hs-analytics.net https://google-analytics.com https://ajax.googleapis.com;
        font-src https://use.typekit.com;
        style-src 'self' 'unsafe-inline' https://use.typekit.com;
        frame-src https://www.youtube.com;
        report-uri /csp-violations-report-endpoint;
");

I have a folder in the web root directory: csp-violations-report-endpoint, with a single index.php file inside of it to handle the violation.

I'm not sure what I'm doing wrong. I've read MDN's suggestions for report-uri and used Google's example to write my report-uri directive.

Should I try pointing the report-uri to a script in the root directory? Should I try letting it log on its own, or do I need a parser to handle it? Could there be something wrong with my script? (I can include that if it would be of help)

Edit: It may be possible that my web browser is ignoring the report-uri directive (since it's deprecated) and is expecting the report-to directive, and that is why it's not working but the error message leads me to believe that isn't the case.


Solution

  • I might be completely off base, but, if you're using the code exactly as pictured above, then you are likely sending a bunch of invalid headers. HTTP Headers have to exist on a single line, and yours does not. Try this:

    header(
        "Content-Security-Policy-Report-Only: default-src 'self'; " .
        "script-src 'self' 'unsafe-inline' https://use.typekit.com https://js.hs-analytics.net https://google-analytics.com https://ajax.googleapis.com; " .
        "font-src https://use.typekit.com; " .
        "style-src 'self' 'unsafe-inline' https://use.typekit.com; " .
        "frame-src https://www.youtube.com; " .
        "report-uri /csp-violations-report-endpoint; "
    );