I’ve tried to follow mozilla guide lines for setting up report-to and report-uri in CSP-Report-Only mode. My CSP: $csp = "report-to csp-endpoint; report-uri ".get_bloginfo('url')."/csp-report-url/; script-src 'self'"; header("Content-Security-Policy-Report-Only: $csp "); In the console i get: some violation...a report has been sent... 404 for POST http://localhost:8888/wordpress/csp-report-url/ My csp-endpoint is csp-endpoint.json file in the root directory: Report-To: { "group": "csp-endpoint", "max_age": 10886400, "endpoints": [ { "url": "http://localhost:8888/wordpress/csp-reports" } ] } And finally i have, also in the root directory, csp-reports (a simple text file). I expected, that errors would be logged to this file, but nothing happens. I’ve looked at several resources, but none of these are concisely explaining, how this is plugged together to make it work. I tried to create a page in wordpress with the title csp-report-url. Nothing is reported to this page. How can i make these features report-to and report-uri work in a wordpress environment?
Jese Leos
September 7, 2024
Verified user
Essentially there should be an endpoint listening to receive CSP error reports. In WordPress you can create a REST API endpoint using the rest_api_init hook to handle CSP reports. Docs are here https://developer.wordpress.org/reference/hooks/rest_api_init/. The report data that receive via the endpoint can be logged to a file in this case could be the file you created csp-reports This requires some minimal coding and understanding of the workings of web applications. Hope this will help you!