Support browser reports submitted via Reporting API

[reedloden]

Instead of supporting a different reporting method for every different browser feature (CSP, HPKP, Expect-CT, etc.), a Reporting API is being developed to allow batching all these reports together and submitting to an endpoint.

Chrome just announced that they are implementing this.

From my understanding, CSP (and other reports) will be deprecating their old reporting method and swapping to this new reporting method. As normal CSP reports are already supported by Sentry, just need to add support for this new API to keep up once Chrome and other browsers start supporting (and sending) them.

cc @ScottHelme

[mattrobenolt]

CSP's existing report-uri mechanism is fairly naive with regard to it's behavior on the network. We send one POST per violation, which means that we're sending a lot of requests in aggregate. report-to uses the Reporting API to batch up violation reports, and send them out of band, whenever the device is happiest sending reports.

Yessss. I'll keep an eye on this for now.

[renchap]

This is now implemented in Chrome (behind a flag): https://developers.google.com/web/updates/2018/09/reportingapi

For ReportingObserver (part of the Reporting W3C spec), I opened a ticket with RavenJS: getsentry/sentry-javascript#1450

[kaplun]

Hi! Is this feature something you are working on implementing?

[markstory]

@kaplun There is a pull request open to support the Report-To header but the reporting API doesn't have any complete implementations yet.

[kaplun]

You mean the Sentry's PR is not having a complete implementation or browsers do not have yet a complete implementation? Because it looks like they do have it: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to#Browser_compatibility (edit: corrected URL)

[markstory]

My mistake, I was conflating the feature-policy reports with the Report-To header. Feature policy violation reporting is what we have an open pull request for #8921.

To my knowledge there aren't any open pull requests to add support for Report-To and no work planned for the next few months.

[BYK]

Related: #10202

[dzagorovsky]

I can't figure out how to make CSP reporting work with Report-To header. Our service provides Report-To header pointing to sentry and our Content-Security-Policy-Report-Only report-to directive points to the group described in Report-To. But chrome is unable to send a report in this case. All the attempts 3(3) are failed according to chrome://net-export/.
Does sentry support Report-To with CSP?

[BYK]

@dzagorovsky don't think we support this yet but keeping the issue open as a feature request.

[adarnon]

Please support this. report-uri is officially deprecated.

[ravick12]

Any updates on this yet? Browsers are now soon moving to 'reporting-endpoints' too.

[markstory]

No updates. There aren't any current plans to add support for reporting endpoints.

[drekinov]

We thought that CSP reporting is supported.
please update / remove CSP instructions as it seems not working as it is now.
We configured report-uri and nothing happens with modern browsers.
we tried to configure Report-url however as it is not supported again nothing happened in sentry.
Eventually we find the open issue confirming that CSP reporting is not supported ...

I am sincerely sorry . It seems issue is caused by not fully undersanding how HTTP header and meta tag CSP policy compliment each other.
We had meta tag + header for report-uri and it did not work. however as soon as we added full policy into header it worked.
Not sure if headereis ignored because no useful policy is there OR report-uri is used only for values specified in header.

[BYK]

@drekinov CSP reporting is supported (I'm successfully using it for instance). This issue is about supporting the new reporting format, defined via the report-to directive. If you use the good old report-uri it works. It needs to look something like this:

report-uri https://sentry.io/api/xxxx/security/?sentry_key=xxxxxx&sentry_environment=beta&sentry_release=xxxxxx

[MagnusHJensen]

Any news or updates on this?

[teytattze]

Hi, I followed the Sentry official documentation to report the CSP violation to Sentry. It works well when using the report-uri directive but once switching to the report-to (without using the report-uri as a fallback) it doesn't work. If I am not mistaken, the report-to directive is not supported yet because Sentry doesn't support Reporting API (correct me if I am wrong). It would be great if someone could give an update on this.

[getsantry]

Routing to @getsentry/product-owners-settings-security-privacy for triage ⏲️