node.js - How to send Reporting API reports cross-origin (Report-To) header - TagMerge
3How to send Reporting API reports cross-origin (Report-To) headerHow to send Reporting API reports cross-origin (Report-To) header

How to send Reporting API reports cross-origin (Report-To) header

Asked 1 years ago
1
3 answers

Your code appears to be correct, but there is currently a bug in Chrome/Chromium's implementation of CORS for the Reporting API, which is likely to be causing your problem. See Chromium issue #1152867. The gist of the bug is that the CORS implementation used here requires that an Access-Control-Allow-Methods: POST header exists on the response, which is not compliant with the CORS spec, as POST is a "simple" method.

If you are able to modify the CORS implementation on your server, you can modify it to always include the Access-Control-Allow-Methods: POST header on the OPTIONS response, which should work around the bug.

Otherwise, you will have to either not use a cross-domain request for reporting, or fall back to only using the deprecated Report-Uri directive until the fix is released. The latter shouldn't be too much of an issue, as Firefox and Safari don't support the new Report-To header yet anyway.

Source: link

0

CSP reporting API is not a subject of CORS, because no resources are loaded from the server. Browser just send a report and does not expect any headers/response from CSP reporting API. To show this you return the 204 No content header so that the browser does not expect a response.

Why do you think that you have a CORS issue? When you proxying site via Cloudflare.com, it injects into all pages a NEL/Report-to (the same as CSP/Report-to) headers with CF's own domain without any CORS issue: enter image description here I had implemented a lot of endpoints for report-uri and never face any CORS issues.

Note that report-uri is obsolete in favour report-to directive, but browsers does not supports report-to except Chrome.

When you simulate sending a report for testing purposes, do not use an ordinary ajax POST request - it is subject to CORS.
To imitate sending real report, generate a page on third-party domain:

<script>alert('inline success')</script>

and send it with CSP header:

Content-Security-Policy: "default-src 'report-sample' report-uri https://your_reporting_api.com/endpoint;"

When debug it's easier to use report-uri not report-to.

Source: link

0

When configured with a report-to directive, CSP reports will use the Reporting API to send the reports. The browser will require CORS for cross-origin reports in that case, and it's possible that your server is not correctly configured to negotiate CORS on that URL. (I don't know the details of the npm package you're using, but that would be my suspicion).

The browser will send a pre-flight request of the form:

OPTIONS /csp-report HTTP/1.1
Access-Control-Request-Headers: content-type
Access-Control-Request-Method: POST
Origin: example-1.com

And your server needs to respond with something like:

200 OK HTTP/1.1
Access-Control-Allow-Headers: content-type
Access-Control-Allow-Methods: POST
Access-Control-Allow-Origin: example.com
Access-Control-Max-Age: 3600

If that happens, then the second request (with the actual report) will be sent.

The Chrome NetLog viewer can be useful for debugging these sorts of problems.

As well, recent versions of Chrome have experimental support in DevTools for Reporting. You should be able to see configured endpoints, as well as reports which have been queued. (Chrome 96 instructions: Open devtools, click the gear icon for settings, and under "experiments" there is an option labeled "Enable Reporting API panel in the Application panel")

Source: link

Questions related to 'How to send Reporting API reports cross-origin (Report-To) header'

How to send Reporting API reports cross-origin (Report-To) header
Cross Origin Problem with Flask Api (Access-Control-Allow-Origin)
laravel header Allow Origin error while calling api
Delaying the sending emails with Sendgrid and Django, SMTP api and send_at header
How to add Jetty-Servlets into Java Project via Maven for Cross-Origin-Header
Can AWS LAMBDA Web API authenticate by middleware if you send jwt token in the header
What is the best way to send firebase user token from frontend to backend in API Auth header without having to fetch token each time ? (NextJs))
Python>How to pass CSV Headers & values under headers, as API req parameter/payload, dynamically (without hardcoding headers in code) with request lib
strict-origin-when-cross-origin when using POST in a form to a route
Host header or origin header is specified and is not localhost for selenium grid
append header not added in header for api basic auth in ionic
google maps - Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at
CORS: The 'Access-Control-Allow-Origin' header has a value 'http://localhost:3000' that is not equal to the supplied origin
how to add image in header and keep first page header and footer different from other pages using google docs API in python
How to send headers to a JMS message
Sorviceworker in cross origin iframe
How should I have API users send their keys?
How to send request to Phish Tank Api?
how to send my raw data to a Api in flutter
How would I send a file with Web Serial API?

Recent Questions on node.js

    Programming Languages