Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Content Security Policy Layer 2 directive report-uri is not working when Layer 3 directive report-to is also sent in the header #17020

Open
tspearconquest opened this issue Jul 19, 2021 · 1 comment
Open

Content Security Policy Layer 2 directive report-uri is not working when Layer 3 directive report-to is also sent in the header #17020

tspearconquest opened this issue Jul 19, 2021 · 1 comment
Labels
OS/Android Fixes related to Android browser functionality OS/Desktop

Comments

@tspearconquest
Copy link

tspearconquest commented Jul 19, 2021
edited
Loading

Description

When defining a Content Security Policy on an app, if the report-to directive is sent in the header, Brave does not send reports. This happens even if report-uri is also sent in the header.
I've done some testing and was able to determine that Brave will send reports if the report-to directive is not given in the header, which leads me to conclude that disabling the Reporting API in #7956 has caused this issue. Instead of failing to send a report, the browser should fall back to Layer 2 if the reporting API is disabled or unable to handle the request and a report-uri Layer 2 directive is specified along with the report-to Layer 3 directive.

Steps to Reproduce

  1. Add a report-to and report-uri directive to a CSP header on an app
  2. Browse with Brave
  3. Check the report-to endpoint and report-uri endpoint for reports. Observe none came in.
  4. Remove report-to from the header
  5. Clear cache and browse again. Observe reports come into report-uri endpoint

Actual result:

Expected result:

Reproduces how often:

100% reproducible

Desktop Brave version:

Brave | 1.26.77 Chromium: 91.0.4472.164 (Official Build) (x86_64)
Revision | 541163496c9982c98f61819bab7cf2183ea8180f-refs/branch-heads/4472@{#1569}
OS | macOS Version 11.4 (Build 20F71)

Android Device details:

  • Install type (ARM, x86):
  • Device type (Phone, Tablet, Phablet):
  • Android version:

Version/Channel Information:

  • Can you reproduce this issue with the current release? Yes
  • Can you reproduce this issue with the beta channel?
  • Can you reproduce this issue with the nightly channel?

Other Additional Information:

  • Does the issue resolve itself when disabling Brave Shields?
  • Does the issue resolve itself when disabling Brave Rewards?
  • Is the issue reproducible on the latest version of Chrome? No

Miscellaneous Information:
@tspearconquest tspearconquest added OS/Android Fixes related to Android browser functionality OS/Desktop labels Jul 19, 2021
@rbairwell
Copy link

I can confirm that this is still an issue on Brave 1.38.119 on Windows 10 64bit.
100% reproducible, does not resolve with disabling Shields or Rewards and is NOT reproducible on latest version of Chrome or Edge.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
OS/Android Fixes related to Android browser functionality OS/Desktop
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rbairwell @tspearconquest