Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Content-Security-Policy-Report-Only should show detailed CSP analysis #69

Open
groenroos opened this issue Aug 13, 2024 · 3 comments
Open

Content-Security-Policy-Report-Only should show detailed CSP analysis #69

groenroos opened this issue Aug 13, 2024 · 3 comments
Labels
effort: medium This task is a medium effort. p1 We will address this soon and will provide capacity from our team for it in the next few releases. test: CSP Issues about the Content Security Policy tests

Comments

@groenroos
Copy link

groenroos commented Aug 13, 2024
edited
Loading

What information was incorrect, unhelpful, or incomplete?

When a Content-Security-Policy-Report-Only header is defined, the "CSP analysis" tab is empty, with an "Implement an enforced policy" exception message.

e.g. https://developer.mozilla.org/en-US/observatory/analyze?host=google.com#csp

What did you expect to see?

As discussed in #5, while the flag and the -25 score is correct, the "CSP analysis" tab should still display the full line-by-line CSP analysis as though the header was enforced. This would help with iterating the CSP policy without causing disruption to users.

Do you have any supporting links, references, or citations?

Do you have anything more you want to share?

The discussion in the previous issue resolved to initially create the behaviour that currently exists, and follow up after launch with this described behaviour.

That issue was closed as completed when the first step was implemented (possibly because it satisfied the title of the initial issue?). However, displaying the full CSP analysis does not seem to be implemented yet, and so I thought I'd open a separate issue for that.
@groenroos groenroos added the needs triage Triage needed by staff and/or partners. Automatically applied when an issue is opened. label Aug 13, 2024
@github-actions GitHub Actions
Copy link
Contributor

It looks like this is your first issue. Welcome! 👋 One of the project maintainers will be with you as soon as possible. We appreciate your patience. To safeguard the health of the project, please take a moment to read our code of conduct.

@argl argl added effort: medium This task is a medium effort. p1 We will address this soon and will provide capacity from our team for it in the next few releases. test: CSP Issues about the Content Security Policy tests and removed needs triage Triage needed by staff and/or partners. Automatically applied when an issue is opened. labels Aug 22, 2024
@github-actions github-actions bot added the idle Issues and pull requests with no activity for three months. label Sep 22, 2024
@argl
Copy link
Contributor

argl commented Jan 3, 2025

Sorry for the non-movement on this, I just wanted to say that this is still under consideration.

@groenroos
Copy link
Author

No worries at all! Happy to hear it's still on the radar! 👍

We had actually paused work on implementing CSP due to policy complexity; but we do plan to take it up again soon, now that the rest of our setup can more easily support Level 3. So, if this tool could help us validate our Report-Only policies while we iterate, that would definitely be huge! 👌

Let me know if I can be of any help!

@github-actions github-actions bot removed the idle Issues and pull requests with no activity for three months. label Jan 4, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
effort: medium This task is a medium effort. p1 We will address this soon and will provide capacity from our team for it in the next few releases. test: CSP Issues about the Content Security Policy tests
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@argl @groenroos