'Unknown Content-type' when logging CSP violations in Firefox 62

[ukch]

Important Details

How are you running Sentry?

• On-Premise docker [Version xyz]
• Saas (sentry.io)
• Other [briefly describe your environment]

Description

I am setting up a CSP for my site and attempting to log violations to Sentry, but I have noticed that requests from my browser (Firefox) are returning status 400 and are not being logged to Sentry.

My CSP header looks like the following:

default-src 'self';
base-uri 'none';
form-action 'none';
frame-ancestors 'none';
report-uri https://sentry.io/api/{ID}/security/?sentry_key={KEY};

Firefox is trying to log violations by using 'fetch' to post JSON to the endpoint, but is receiving the following response:

{
    "error": "Invalid Content-Type"
}

It looks as if Firefox is not specifying the Content-Type header for the request, but is sending valid JSON.

Possible Solution

Perhaps Sentry could make a reasonable guess as to the request's content type if the Content-Type header is not speficied?

[reedloden]

I wouldn't be surprised if this is due to the lack of effective-directive, which leads to Sentry just dropping all CSP reports from Firefox.

See also https://bugzilla.mozilla.org/show_bug.cgi?id=1192684.

[BYK]

I guess this is here to stay based on that bugzilla ticket.

[BYK]

@dcramer @mitsuhiko do we want to invest into this?