CSP report-uri does not work

Question

I'm using the following PHP script to test CSP policy,

<?php
   header("Content-Security-Policy: default-src https:; report-uri /report.php");
   header("Content-Security-Policy: default-src 'self'");
?>

<html>
   <body>
        <script src="http://google/abc.js"></script>
   </body>
</html>

The CSP policy works,

But the report-uri part didn't. The reporting request was never sent and no relevant entry in nginx access logs

Any ideas?

@ISMSDEV Tried both IP address and fqdn, but I only edited /etc/hosts to achieve it — daisy, Nov 11 '17 at 16:32
You tried with only the one header being set? Your second one doesn’t have the report uri. Take that line out. — ISMSDEV, Nov 11 '17 at 16:54

score 3 · Accepted Answer · answered Nov 11 '17 at 16:55

From the Content-Security-Policy standard:

A server SHOULD NOT send more than one HTTP response header field named "Content-Security-Policy" with a given resource representation.

But, you are using multiple Content-Security-Policy headers. The behavior is not defined for this case. But it looks like that the browsers in this case only use the latest header. This means your first header which specifies a report-uri gets ignored and only the second header use, which does not specify a report-uri.

Yes that looks like the problem. Missed that initially – ISMSDEV Nov 11 '17 at 16:58 — ISMSDEV, Nov 11 '17 at 16:58

CSP report-uri does not work

1 Answers1