I have a report-uri that works well in firefox but Chrome based browsers ignore this property and expect report-to instead. I have set up a server side api on localhost to receive the browser report http://localhost:8080/api/csp-report-endpoint. The report-uri works well with this endpoint on localhost.
Now, I want to setup a Content Security Policy with report-to instead of report-uri.
I have used this page as a reference https://developer.chrome.com/articles/reporting-api/
My web app has the following headers successfully set up:
Content-Security-Policy: default-src 'self'; report-to csp-report-endpoint Reporting-Endpoints: csp-report-endpoint="http://localhost:8080/api/csp-report-endpoint", default="http://localhost:8080/api/csp-report-endpoint"
I am running my application on local for tests. I have the CSP violation alerts appearing in the browser console but I do not receive any report. I have checked the API reporting tab in chrome dev tool and no report is found. However when I use the network log export chrome://net-export/, I see the reports are in status queued.
I have read that browser reporting api works on trustworthy secure context, but from the w3c documentation, localhost is also considered as secure context I have tried the following with no satisfying result:
- run chrome with the flags: .\chrome.exe --short-reporting-delay --allow-insecure-localhost
- use online webhook from webhook.site as report target
At this point I am starting to believe it is impossible to test CSP report-to on localhost. Also an answer for another related issue states the same problem when testing on localhost even when using certificate for localhost on https
Did anyone face the same issue and could find a solution ?