Needs clearer documentation and/or improved features for report-to header

[davejtoews]

It took me a while to get this module up and running. Here's a few stumbling blocks I hit

Incorrect example report URI

From the report-uri.com docs it seems that the value should be one of these three:

report-uri https://{subdomain}.report-uri.com/r/d/csp/enforce
report-uri https://{subdomain}.report-uri.com/r/d/csp/reportOnly
report-uri https://{subdomain}.report-uri.com/r/d/csp/wizard

However the docs example shows the subdomain root as the uri

Firesphere\CSPHeaders\View\CSPBackend:
  csp_config:
    report-uri: "https://mydomain.report-uri.com"

Missing report-to Header instructions

The readme includes a section, presumably for setting up a report to header but it seems incomplete: https://github.com/Firesphere/silverstripe-csp-headers#report_to

I had to add the following to my PageController::init() method

      $this->response->addHeader(
          'Report-To',
          '{
              "group":"default",
              "max_age":31536000,
              "endpoints":[{"url":"https://mydomainr.report-uri.com/a/d/g"}],
              "include_subdomains":true
          }
      );

It's not clear to me if the module should have added this header on it's own or if the intent was to have something like this in the docs, but I needed this header to get reports functioning.

Missing instructions for report-to directive of CSP header

The default config and documentation doesn't include a yml line for adding report-to w/in the CSP header. The paragonie/csp-builder module however does allow for it, so I was able to add the following in my yml config

Firesphere\CSPHeaders\View\CSPBackend:
  csp_config:
    report-to: 'default'

Presumably I could also put a URI there, but 'default' seems to work when I've got a report-to header with the URI.

---

I may be able to submit a PR to address some of this but I'm still learning this CSP stuff, and not 100% clear where the boundaries are between limits to my understanding, limits to the docs, limits to the module, or limits to the paragonie module it's built on.

It appears as though the report-uri stuff may have worked on it's own previously but it has been deprecated in favour of report-to headers and report-to directives on CSP headers and this module has not caught up with the change?

[Firesphere]

However the docs example shows the subdomain root as the uri

The docs show an example URI. Whichever service you use is not up to me to decide.

I understand it might be clearer if the example was https://report.example.com/report/uri/project

Missing report-to Header instructions

Report-to is not (yet) fully supported by all browsers, report-uri is for now the way to go. Paragon allows it, yes, but it's not yet functional, as per this issue: paragonie/csp-builder#63

Therefore, you can add report-to, but it won't do anything yet.

It appears as though the report-uri stuff may have worked on it's own previously but it has been deprecated in favour of report-to headers and report-to directives on CSP headers and this module has not caught up with the change?

Report-uri is not deprecated as of yet, and is still the current implementation for most browsers. Firefox and Safari are both not (yet) supporting it.

I don't see how this is "not caught up", it is about supporting browsers, not a new, not-yet-fully-implemented standard.

[davejtoews]

it is about supporting browsers, not a new, not-yet-fully-implemented standard

I may well be misunderstanding where the standards are at, but in my implementation, in the browsers I was testing, I didn't get reports coming into my report-uri.com account until I had a report-to header.

FWIW MDN lists report-uri as "Deprecated" though still supported by all major browsers: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri

[Firesphere]

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to#browser_compatibility