Header containing JSON

(Gunni) #1

The report-uri is being depecrated from web standards and being replaced with the report-to header, the problem is that, that header is made out of json. The standards are still a work in progress.


To support it alongside the current report-uri method in my content security policy, I added the header like so inside the headers / block:

Report-To "{'url': 'https://example.com/csp/enforce', 'group': 'example-com-csp-enforce', 'max-age': 3600}"

And then to my CSP i appended it:

Content-Security-Policy "default-src 'none'; ...; report-uri 'https://example.com/csp/enforce'; report-to example-com-csp-enforce;"

Now my problem is this, the report-to header, as returned by caddy to any browser, including curl and more, is:


It is blank, completely, i tried adding a \ in front of my { and } and the header then turned into:

report-to: \

Can you help?

Edit 1: Ok so far i have tracked it down to a replacer for header values here, it seems to look for { or } to replace what’s in those with a substitution value, i’m still reading through the code to try to find what it substitutes.
Edit 2: Ok so the headers are added here with a replacer.Replace(value) where the value is my header, which then goes to the link in Edit 1
Edit 3: and finally my entire header gets stripped out due to this and this.
Edit 4: Oh it’s a feature hxxps://caddyserver com/docs/placeholders! woopity doo, how can i make it ignore my actual header?

(Magikstm) #2

Something like this?

header / -HeaderToStrip

Ref: https://caddyserver.com/docs/header

(Gunni) #3

No i’m trying to ADD the report-to header but the placeholders feature is stripping my json value out…

(Matthew Fay) #4

Hmm. Caddyfile documentation states, and doesn’t seem to outline any exception, that a token beginning with a double-quote should be interpreted literally.

We should definitely look into this; there needs to be a way to handle escaping the placeholder braces, and it should be documented. Feel like opening an issue at https://github.com/mholt/caddy/issues?

(Gunni) #5

Thanks @Whitestrake i will!

Edit: reported at https://github.com/mholt/caddy/issues/2063

(Matthew Fay) #6

This should now be doable! (edit: Once the next version of Caddy is tagged, or via compiling from master)

Use a backslash \ to escape all the JSON braces (opening and closing) and the Replacer will ignore them, which should allow you additionally to use placeholders inside that JSON.

(Gunni) #7

Awesome, thanks for the effort :slight_smile: