Header Reporting-Endpoints.

[righettod]

📡 Track the evolution of the support of the HTTP response header Reporting-Endpoints to see if it can become a candidate to be added to the project.

[righettod]

📅 Status information was captured on January 2025.

🌎 Support status

🗺 Spec status

❌ I found it interesting regarding the Deprecation Reporting feature but the specification is an Unofficial Draft that was not updated since 2020.

📖 Sources & References

• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Reporting-Endpoints
• https://developer.mozilla.org/en-US/docs/Web/API/Reporting_API
• https://github.com/w3c/reporting/blob/main/EXPLAINER.md
• https://w3c.github.io/reporting/
• https://chromium.googlesource.com/chromium/src/+/HEAD/net/reporting/README.md
• https://caniuse.com/mdn-http_headers_reporting-endpoints

[righettod]

📅 Status information was captured on May 2025.

[righettod]

POC

I performed the following POC using projectdiscovery/simplehttpserver as a local HTTPS web server.

💻Command line used to start the server and set reporting endpoints:

simplehttpserver -verbose -https -cert righettod.local.pem -key righettod.local-key.pem -cors -header "Reporting-Endpoints: report-handler=\"https://righettod.local:8000/report.html\"" -header "Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; report-to report-handler" -header "Permissions-Policy: sync-xhr=(), report-to=report-handler"

📄Sample html page expected to trigger violation reports:

<!DOCTYPE html>
<html>

<head>
	<title>POC</title>
	<link rel="stylesheet" href="style.css">
	<link rel="icon" type="image/x-icon" href="favicon.ico">
</head>

<body>
	<!-- Content Security Policy (CSP) violation here -->
	<img src="https://picsum.photos/536/354">
	<!-- Permission Policy (PP) violation here -->
	<script>
		const req = new XMLHttpRequest();
		req.open("GET", "/favicon.ico");
		req.send();		
	</script>
</body>

</html>

Browser used

Chrome 136.

Key points

⚠️ Huge thanks to Gemini for the help and hints:

1. HTTPS Requirement: The Reporting API, and thus the Reporting-Endpoints header, requires HTTPS for both the page generating the reports and the reporting endpoint itself. It will not work over plain HTTP.

2. CORS for Cross-Origin Endpoints: If your reporting endpoint is on a different origin than the page generating the reports, your reporting endpoint must support CORS preflight requests and respond with appropriate Access-Control-Allow-Origin, Access-Control-Allow-Headers, and potentially Access-Control-Allow-Methods headers. Reports are sent as POST requests with a Content-Type: application/reports+json.

3. Specific Report Types: The Reporting-Endpoints header defines named endpoints. To actually send reports, you need to use these named endpoints in conjunction with other headers or APIs that generate reports, such as:

   • Content-Security-Policy with the report-to directive (e.g., Content-Security-Policy: script-src 'self'; report-to my-csp-endpoint;)
   • Document-Policy with the report-to directive.
   • Permissions-Policy with the report-to directive (though for Permissions-Policy-Report-Only, the browser might default to a default endpoint).
   • Deprecation reports are often sent automatically to a default endpoint if one is defined.

4. Debugging: You can monitor reports and endpoints in Chrome DevTools under the Application panel, then Background services > Reporting API. This can be very helpful for debugging if reports aren't being sent or received as expected.

Observations

✅ The CSP violation was correctly received.

🤔The following error was mentioned by Chrome for PP:

Error with Permissions-Policy header: Unrecognized feature: 'report-to'.

The PP documentation on MDN was not mentioning the report-to parameters but the W3C specification was mentioning it.

🤖Reply from ChatGPT:

🤖Reply from Gemini:

🤖Result tends to prove ChatGPT right.

Point of view

💡From a security perspective, the following behavior for Reporting-Endpoints tend to be interesting if it is not an hallucination from Gemini:

🤔Chrome created a default endpoint pointing to the single endpoint defined in the header:

🤔I need to delve deeper into this potential behavior to better understand it and how it can be used from a defensive security point of view...

[righettod]

Browser

Chromium 138 was used to ensure to use the most recent possible version of the foundation of Chromium based browser like Edge/Chrome/...

Version: 138.0.7201.0 (Developer Build) (64-bit).

Documentation used

• https://w3c.github.io/reporting
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Reporting-Endpoints
• https://developer.mozilla.org/en-US/docs/Web/API/Reporting_API

Web server

💻Web server started using the following command:

simplehttpserver -verbose -https -cert righettod.local.pem -key righettod.local-key.pem -cors -header "Reporting-Endpoints: default=\"https://righettod.local:8000/report.html\""

✅Default endpoint correctly created by the browser:

Tests performed

Load a site with an expired TLS certificate

💻Code:

<!DOCTYPE html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<meta name="viewport" content="width=device-width, initial-scale=1.0">
	<title>POC</title>
</head>
<body>
	<iframe src="https://expired.badssl.com/"></iframe>
</body>
</html>

❌No report received.

Reject a request for geolocation

💻Code generated with the help of Gemini:

<!DOCTYPE html>
<html lang="en">

<head>
	<meta charset="UTF-8">
	<meta name="viewport" content="width=device-width, initial-scale=1.0">
	<title>Geolocation Example</title>
</head>

<body>
	<h1>Get Your Current Location</h1>
	<button id="getLocationButton">Get My Location</button>
	<div id="locationData"></div>

	<script>
		const locationDataDiv = document.getElementById('locationData');
		const getLocationButton = document.getElementById('getLocationButton');

		getLocationButton.addEventListener('click', () => {
			if ("geolocation" in navigator) {
				locationDataDiv.textContent = 'Requesting location...';

				// Options for the geolocation request
				const options = {
					enableHighAccuracy: true, // Try to get the best possible result
					timeout: 5000,            // Max time (ms) to wait for a result
					maximumAge: 0             // Don't use a cached position; get a fresh one
				};

				navigator.geolocation.getCurrentPosition(
					(position) => { // Success callback
						const latitude = position.coords.latitude;
						const longitude = position.coords.longitude;
						const accuracy = position.coords.accuracy; // Accuracy in meters

						locationDataDiv.innerHTML = `
                            <p><strong>Latitude:</strong> ${latitude}</p>
                            <p><strong>Longitude:</strong> ${longitude}</p>
                            <p><strong>Accuracy:</strong> &plusmn;${accuracy} meters</p>
                            <p>Timestamp: ${new Date(position.timestamp)}</p>
                        `;
						console.log('Geolocation success:', position);
					},
					(error) => { // Error callback
						let errorMessage = 'Error getting location: ';
						switch (error.code) {
							case error.PERMISSION_DENIED:
								errorMessage += "User denied the request for Geolocation.";
								break;
							case error.POSITION_UNAVAILABLE:
								errorMessage += "Location information is unavailable.";
								break;
							case error.TIMEOUT:
								errorMessage += "The request to get user location timed out.";
								break;
							case error.UNKNOWN_ERROR:
								errorMessage += "An unknown error occurred.";
								break;
						}
						locationDataDiv.textContent = errorMessage;
						console.error('Geolocation error:', error);
					},
					options // Pass the options object
				);
			} else {
				locationDataDiv.textContent = "Geolocation is not supported by this browser.";
				console.warn("Geolocation not supported.");
			}
		});
	</script>
</body>

</html>

❌Geolocation request rejected but no report was received:

🤔Based on the documentation, such type of event should generate an intervention report type that it will be send the default endpoint:

🤔Perhaps I missed something and ChatGPT help me to understand:

🤖I asked ChatGPT to generate me a POC:

❌I tried it but no report was received so I asked why. The response from ChatGPT was an hallucination:

🧑‍💻I tried several other examples with the help of Gemini+ChatGPT without success.

🤔I surely miss something...

[riramar]

Hi @righettod

I was able to reproduce with the following setup.

target_server.py

import ssl
import socketserver
from http.server import SimpleHTTPRequestHandler

class TargetHandler(SimpleHTTPRequestHandler):
    def do_GET(self):
        self.send_response(200)
        self.send_header("Content-Type", "text/html")

        # Define reporting endpoint using Reporting-Endpoints header (legacy format still valid in Chrome)
        self.send_header("Reporting-Endpoints", 'endpoint-1="https://localhost:5001/report"')

        # Use CSP that references report-to group "endpoint-1"
        self.send_header("Content-Security-Policy", "default-src 'none'; script-src 'self'; report-to endpoint-1")

        self.end_headers()

        html = """
        <html><head>
        <script src="https://evil.com/hack.js"></script> <!-- CSP violation -->
        </head><body>Hello from CSP PoC using Reporting-Endpoints!</body></html>
        """
        self.wfile.write(html.encode('utf-8'))

# SSL setup
context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
context.load_cert_chain(certfile='cert.pem', keyfile='key.pem')
server_address = ("0.0.0.0", 5000)
with socketserver.TCPServer(server_address, TargetHandler) as httpd:
    httpd.socket = context.wrap_socket(httpd.socket, server_side=True)
    print(f'Starting httpd over TLS on port {server_address[1]}...')
    httpd.serve_forever()

report_collector.py

import ssl
import socketserver
from http.server import SimpleHTTPRequestHandler
import json

class ReportHandler(SimpleHTTPRequestHandler):
    def do_OPTIONS(self):
        self.send_response(204)
        self.send_header("Access-Control-Allow-Origin", "*")
        self.send_header("Access-Control-Allow-Methods", "POST, OPTIONS")
        self.send_header("Access-Control-Allow-Headers", "*")
        self.end_headers()
        
    def do_POST(self):
        length = int(self.headers.get('Content-Length', 0))
        data = self.rfile.read(length)

        try:
            report = json.loads(data)
            print("\n📩 CSP Report Received:\n", json.dumps(report, indent=2))
        except json.JSONDecodeError:
            print("\n❌ Invalid JSON Received:\n", data.decode())

        self.send_response(204)
        self.end_headers()

# SSL setup
context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
context.load_cert_chain(certfile='cert.pem', keyfile='key.pem')
server_address = ("0.0.0.0", 5001)
with socketserver.TCPServer(server_address, ReportHandler) as httpd:
    httpd.socket = context.wrap_socket(httpd.socket, server_side=True)
    print(f'Starting httpd over TLS on port {server_address[1]}...')
    httpd.serve_forever()

Generate self-signed cert:

$ openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 365 -subj "/CN=localhost"

Run report_collector.py and target_server.py in different terminals.
Start Chrome with:

$ google-chrome   --ignore-certificate-errors   --enable-features=Reporting   --enable-logging=stderr   --v=1   --no-sandbox   --user-
data-dir=/tmp/chrome-profile   https://localhost:5000

Check the report_collector.py terminal.

[righettod]

Nice @riramar , thanks a lot 🥰🥰🥰🥰

[righettod]

There's a subtle hint in my aim:, My goal is to trigger a event of type intervention that should trigger a report that should be send to the default endpoint defined via the Report-Endpoints response header 😉

My goal is to see if the Report-Endpoints response header can be used to define a notification endpoints (as a spy) to detect strange or unexpected or malicious usage of a "page" 🤔

However, a huge thanks for your help and support on this analysis 🥰