CSP: `report-sample` property in violation reports

The `report-sample` property attempts to reach consensus on an opt-in variant Firefox's behavior. In short, we'll collect a 40-character sample for inline script and style violations, and include it in the violation report (and associated SecurityPolicyViolationEvent object) iff a 'report-sample' expression is present in the violated directive.

Documentation

• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src

Specification

Editor's draft

Status in Chromium

Blink components: Blink>SecurityFeature

Enabled by default (tracking bug) in:

• Chrome for desktop release 59
• Chrome for Android release 59
• Android WebView release 59

Consensus & Standardization

• Firefox: No public signals
• Edge: No public signals
• Safari: No public signals
• Web Developers: Positive

Owner

• mkwst@chromium.org

Last updated on 2018-06-06