Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

report-to

See original GitHub issue

I got this when validating my HTML. Time to add the report-to directive?

Warning: Content-Security-Policy HTTP header: Bad content security policy: A draft of the next version of CSP deprecates report-uri in favour of a new report-to directive.

Issue Analytics

State:
Created 6 years ago
Comments:5 (3 by maintainers)

Top GitHub Comments

1reaction

EvanHahncommented, Apr 7, 2021

@mjaggard helmet@4 and helmet-csp@3 added support for all directives by accepting any keys you provide.

You can use report-to with Helmet like this:

app.use(
  helmet({
    contentSecurityPolicy: {
      directives: {
        defaultSrc: ["'self'"],
        reportTo: ["foo"],
      },
    },
  })
);

Or if you prefer to use the CSP middleware by itself:

app.use(
  helmet.contentSecurityPolicy({
    directives: {
      defaultSrc: ["'self'"],
      reportTo: ["foo"],
    },
  })
);

Hope this answers your question.

0reactions

mjaggardcommented, Apr 7, 2021

@EvanHahn I can see https://github.com/helmetjs/csp/commit/b2d9fdf50a5ca63de8631c8b46f1ea0500bd74ba was merged into csp to solve this issue, but I can’t see any equivalent code in the helmet code base. Did this get missed or was it not included on purpose?