I built a very simple (it’s impressive how dumb it is) CSP reporting target. The code is at github.com/icco/reportd. If you’re interested in using it, I’ve got a version running at reportd.natwelch.com. An example on how to use it if you don’t want to run your own:

$ curl -svL https://writing.natwelch.com > /dev/null
> GET / HTTP/2
> Host: writing.natwelch.com
> User-Agent: curl/7.54.0
> Accept: */*
< HTTP/2 200
< nel: {"report_to":"default","max_age":2592000}
< report-to: {"group":"default","max_age":10886400,"endpoints":[{"url":"https://reportd.natwelch.com/report/writing"}]}
< content-security-policy: upgrade-insecure-requests; default-src 'self' https://graphql.natwelch.com/graphql; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com/; font-src https://fonts.gstatic.com; img-src 'self' data: https://a.natwelch.com https://icco.imgix.net; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://a.natwelch.com/tracker.js; object-src 'none'; report-uri https://reportd.natwelch.com/report/writing; report-to default

Just replace writing in https://reportd.natwelch.com/report/writing with whatever your service is. For example https://reportd.natwelch.com/report/your-name-here.

For those that don't know what CSP is, it stands for Content Security Policy, and it is a way for servers to set rules on what types of data they should load. Mozilla has a great document that goes into the details of how CSP works.

Google has been expanding on the ideas presented in CSP, mainly that you can have an endpoint a browser can send client side errors to. The proposed Reporting API lets you specify a Report-To header, which tells the browser where to send reports. These reports could be CSP errors, network errors, and many other things. It seems really useful to me, so I decided to build reportd to play with it.

I hope you enjoy the service. It's free. If you want another service that is supported by a large organization and is much nicer, check out report-uri.com.


#opensource #code #infrastructure


Related Posts

Some interesting technical articles. Discussion of client side SSL certs, optimizing PNGs, Twitter's Architecture, HTTP 2.0 and Japan's file sharing ecosystem.

After a year in London, I figured I'd write up the places I have eaten often and enjoyed. These are in no order and the organization is rough to say the least.

So I've been listening to Reply All for a while, and I love it. The show is thoughtful and silly. Often providing insight into interesting parts of the internet I had never heard about.