Security Policy Reporting - Content-Security-Policy has incorrect report-to info

[dan-goswag]

Core or SDK?

Platform/SDK

Which part? Which one?

Web - Security Headers

Description

Following the instructions at https://docs.sentry.io/product/security-policy-reporting/#content-security-policy I configured the report-to field in my CSP to send to Sentry.

However this did not work - as per getsentry/sentry#52794 report-to does not support the use of querystring parameters which are used in the examples. Report-uri continues to work as expected.

Suggested Solution

The documentation should not show using the report-to field in a way which does not currently work, so this documentation should be removed or updated.

[getsantry]

Assigning to @getsentry/support for routing ⏲️

[getsantry]

Routing to @getsentry/product-owners-docs for triage ⏲️

[vivianyentran]

@rodolfoBee Can you advise us on how best to address this in the docs? Would updating the code sample to remove query parameters (e.g. sentry_key=examplePublicKey) work or is that required? If there's no easy fix, should we remove the content security policy section entirely since report-uri is deprecate and report-to doesn't work? Are there any other updates we need to make?

[rodolfoBee]

@vivianyentran this is a question for the engineering team responsible for the feature.

[vivianyentran]

@olksdr @jan-auer Can either of you help us with this?

[olksdr]

Hi @vivianyentran,
it's on my todo list, will update the issue once I know more.

[olksdr]

proposed some doc changes in #9440

@dan-goswag could you, please, check if the config from the above PR works for you?

[olksdr]

The docs will be updated in the linked PR and the followup work will be done in getsentry/sentry#38940 and getsentry/relay#2645

[dan-goswag]

proposed some doc changes in #9440

@dan-goswag could you, please, check if the config from the above PR works for you?

@olksdr Gave it a try, seems to work for me. Many thanks for the fix.