The report-uri
is being depecrated from web standards and being replaced with the report-to
header, the problem is that, that header is made out of json. The standards are still a work in progress.
https://www.w3.org/TR/reporting-1/#header
To support it alongside the current report-uri
method in my content security policy, I added the header like so inside the headers /
block:
Report-To "{'url': 'https://example.com/csp/enforce', 'group': 'example-com-csp-enforce', 'max-age': 3600}"
And then to my CSP i appended it:
Content-Security-Policy "default-src 'none'; ...; report-uri 'https://example.com/csp/enforce'; report-to example-com-csp-enforce;"
Now my problem is this, the report-to
header, as returned by caddy to any browser, including curl and more, is:
report-to:
It is blank, completely, i tried adding a \
in front of my {
and }
and the header then turned into:
report-to: \
Can you help?
Edit 1: Ok so far i have tracked it down to a replacer for header values here, it seems to look for {
or }
to replace what’s in those with a substitution value, i’m still reading through the code to try to find what it substitutes.
Edit 2: Ok so the headers are added here with a replacer.Replace(value)
where the value is my header, which then goes to the link in Edit 1
Edit 3: and finally my entire header gets stripped out due to this and this.
Edit 4: Oh it’s a feature hxxps://caddyserver com/docs/placeholders! woopity doo, how can i make it ignore my actual header?