Skip to content

Commit 79e15a4

Browse files
KurtGokhansfanahata
KurtGokhan
and
sfanahata
authored
docs(csp): add reporting-endpoints header for maximum compatibility (#12245)
* add reporting-endpoints header for maximum compatibility * Update includes/platforms/security-policy-reporting/content.mdx --------- Co-authored-by: Shannon Anahata <[email protected]>
1 parent 7d75721 commit 79e15a4

File tree

1 file changed

+3
-1
lines changed
  • includes/platforms/security-policy-reporting

1 file changed

+3
-1
lines changed

includes/platforms/security-policy-reporting/content.mdx

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,11 +15,12 @@ Content-Security-Policy: ...;
1515
report-to csp-endpoint
1616
1717
Report-To: {"group":"csp-endpoint","max_age":10886400,"endpoints":[{"url":"https://___ORG_INGEST_DOMAIN___/api/___PROJECT_ID___/security/?sentry_key=___PUBLIC_KEY___"}],"include_subdomains":true}
18+
Reporting-Endpoints: csp-endpoint="https://___ORG_INGEST_DOMAIN___/api/___PROJECT_ID___/security/?sentry_key=___PUBLIC_KEY___"
1819
```
1920

2021
<Alert title="Compatibility Recommendation">
2122

22-
Though the `report-to` directive is intended to replace the deprecated `report-uri` directive, `report-to` isn't supported in most browsers yet. So for compatibility with current browsers while also adding forward compatibility when browsers get `report-to` support, you can specify both `report-uri` and `report-to` in your Content-Security-Policy (CSP).
23+
Though the `report-to` directive is intended to replace the deprecated `report-uri` directive, `report-to` isn't supported in most browsers yet. So for compatibility with current browsers while also adding forward compatibility when browsers get `report-to` support, you can specify both `report-uri` and `report-to` in your Content-Security-Policy (CSP), as well as adding [Report-To](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Report-To) and [Reporting-Endpoints](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Reporting-Endpoints) headers.
2324

2425
</Alert>
2526

@@ -32,6 +33,7 @@ Content-Security-Policy-Report-Only: ...;
3233
report-to csp-endpoint
3334
3435
Report-To: {"group":"csp-endpoint","max_age":10886400,"endpoints":[{"url":"https://___ORG_INGEST_DOMAIN___/api/___PROJECT_ID___/security/?sentry_key=___PUBLIC_KEY___"}],"include_subdomains":true}
36+
Reporting-Endpoints: csp-endpoint="https://___ORG_INGEST_DOMAIN___/api/___PROJECT_ID___/security/?sentry_key=___PUBLIC_KEY___"
3537
```
3638

3739
When defining your policy it is important to ensure that `sentry.io` or your self-hosted Sentry domain is in your `default-src` or `connect-src` policy, or browsers will block requests that submit policy violations.

0 commit comments

Comments
 (0)