I built a very simple (it’s impressive how dumb it is) CSP reporting target. The code is at github.com/icco/reportd. If you’re interested in using it, I’ve got a version running at reportd.natwelch.com. An example on how to use it if you don’t want to run your own:
$ curl -svL https://writing.natwelch.com > /dev/null
...
> GET / HTTP/2
> Host: writing.natwelch.com
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/2 200
< nel: {"report_to":"default","max_age":2592000}
< report-to: {"group":"default","max_age":10886400,"endpoints":[{"url":"https://reportd.natwelch.com/report/writing"}]}
< content-security-policy: upgrade-insecure-requests; default-src 'self' https://graphql.natwelch.com/graphql; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com/; font-src https://fonts.gstatic.com; img-src 'self' data: https://a.natwelch.com https://icco.imgix.net; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://a.natwelch.com/tracker.js; object-src 'none'; report-uri https://reportd.natwelch.com/report/writing; report-to default
...
Just replace writing
in https://reportd.natwelch.com/report/writing
with whatever your service is. For example https://reportd.natwelch.com/report/your-name-here
.
For those that don't know what CSP is, it stands for Content Security Policy, and it is a way for servers to set rules on what types of data they should load. Mozilla has a great document that goes into the details of how CSP works.
Google has been expanding on the ideas presented in CSP, mainly that you can have an endpoint a browser can send client side errors to. The proposed Reporting API lets you specify a Report-To
header, which tells the browser where to send reports. These reports could be CSP errors, network errors, and many other things. It seems really useful to me, so I decided to build reportd to play with it.
I hope you enjoy the service. It's free. If you want another service that is supported by a large organization and is much nicer, check out report-uri.com.
/Nat