Skip to content

Commit

Permalink
30.1.0 feat(netlify): Add error reporting endpoint
Browse files Browse the repository at this point in the history
- `src/headers/_headers_template`:
Add `report-uri.com` reporting endpoint:
  - Add `Report-To:` to send errors to report-uri.com:
    - Add to `CSP`: `report-uri`, `report-to` to report CSP errors.
    - Add `NEL:` to report client network errors.
  • Loading branch information
s6mike committed Jan 22, 2024
1 parent e70b11a commit 26781af
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 2 deletions.
7 changes: 7 additions & 0 deletions docs/CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,13 @@
- Add note about linking/using templates (html and latex) with pandoc.
- Add references to argmap specs spreadsheet?

## argmap 30.1.0

- `src/headers/_headers_template`: Add `report-uri.com` reporting endpoint:
- Add `Report-To:` to send errors to report-uri.com:
- Add to `CSP`: `report-uri`, `report-to` to report CSP errors.
- Add `NEL:` to report client network errors.

## argmap 30.0.9

- `src/headers/_headers_template`: Harden headers:
Expand Down
7 changes: 5 additions & 2 deletions src/headers/_headers_template
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,15 @@
/*
Access-Control-Allow-Origin: https://argview.org
Vary: Origin
Content-Security-Policy: style-src 'self' 'unsafe-inline'; style-src-elem 'self' 'unsafe-inline'; form-action 'self'; connect-src 'self'; img-src data: 'self'; default-src 'none'; object-src 'none'; base-uri 'none'; frame-ancestors 'none'; trusted-types 'none'; upgrade-insecure-requests;
Content-Security-Policy: style-src 'self' 'unsafe-inline'; style-src-elem 'self' 'unsafe-inline'; form-action 'self'; connect-src 'self'; img-src data: 'self'; default-src 'none'; object-src 'none'; base-uri 'none'; frame-ancestors 'none'; trusted-types 'none'; upgrade-insecure-requests; report-uri https://argview.report-uri.com/r/d/csp/enforce; report-to default;
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Resource-Policy: same-origin
HTTP-Cross-Origin-Opener-Policy: same-origin
NEL: {"report_to":"default","max_age":31536000,"include_subdomains":true}
# Unrecognized by chrome (all experimental): ambient-light-sensor=(), battery=(), document-domain=(), layout-animations=(), legacy-image-formats=(), oversized-images=(), unoptimized-images=(), speaker-selection=(), unsized-media=(),
Permissions-Policy: accelerometer=(), autoplay=(), camera=(), display-capture=(), encrypted-media=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()
# Report-To: {"group":"default","max_age":31536000,"endpoints":[{"url":"https://argview.org/.netlify/functions/__csp-violations"}],"include_subdomains":true}
Report-To: {"group":"default","max_age":31536000,"endpoints":[{"url":"https://argview.report-uri.com/a/d/g"}],"include_subdomains":true}
Referrer-Policy: strict-origin-when-cross-origin
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Expand All @@ -20,4 +23,4 @@

/output/html/*
# TODO: Harden further: require-trusted-types-for 'script';
Content-Security-Policy: style-src 'self' 'unsafe-inline'; style-src-elem 'self' 'unsafe-inline'; form-action 'self'; connect-src 'self'; img-src data: 'self'; default-src 'none'; object-src 'none'; base-uri 'none'; frame-ancestors 'none'; trusted-types 'none'; upgrade-insecure-requests; ${script-src-elem}
Content-Security-Policy: style-src 'self' 'unsafe-inline'; style-src-elem 'self' 'unsafe-inline'; form-action 'self'; connect-src 'self'; img-src data: 'self'; default-src 'none'; object-src 'none'; base-uri 'none'; frame-ancestors 'none'; trusted-types 'none'; upgrade-insecure-requests; report-uri https://argview.report-uri.com/r/d/csp/enforce; report-to default; ${script-src-elem}

0 comments on commit 26781af

Please sign in to comment.