Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSP Report Does Not Reflect Redirected Blocked Domains #269

Closed
ConardLi opened this issue Jul 15, 2024 · 1 comment
Closed

CSP Report Does Not Reflect Redirected Blocked Domains #269

ConardLi opened this issue Jul 15, 2024 · 1 comment

Comments

@ConardLi
Copy link

When requests on the website are redirected, the domain to which the request is redirected is blocked because it is not included in the connect-src whitelist. However, the CSP report shows the blockedURL as the original domain before the redirect. This makes it difficult to troubleshoot the issue. It would be helpful if the CSP report could include the actual domain that was blocked after the redirect, or better yet, include both the original and the redirected domains.

image
@clelland
Copy link
Contributor

The body of the CSP report is really under the control of the CSP spec -- I see that you've filed w3c/webappsec-csp#672 there, which @mikewest has responded to already.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@clelland @ConardLi