Open
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR implements support for the W3C Reporting API to enable standardized browser reporting for security violations and other issues.
Key changes:
- Added ReportingEndpoints header class to configure named reporting endpoints
- Added report_to directive to Content Security Policy for modern browser reporting
- Introduced new :string directive type for single token CSP values
Reviewed Changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| spec/lib/secure_headers/headers/reporting_endpoints_spec.rb | Test coverage for ReportingEndpoints header validation and generation |
| spec/lib/secure_headers/headers/content_security_policy_spec.rb | Tests for report-to directive in CSP including ordering with report-uri |
| lib/secure_headers/headers/reporting_endpoints.rb | Implementation of ReportingEndpoints header class with validation |
| lib/secure_headers/headers/policy_management.rb | Added report_to directive to CSP constants and validation logic |
| lib/secure_headers/headers/content_security_policy.rb | Added string directive type support and report_to to directive ordering |
| lib/secure_headers/configuration.rb | Registered reporting_endpoints in header class mapping |
| lib/secure_headers.rb | Required the new reporting_endpoints file |
| README.md | Documentation for W3C Reporting API usage and browser compatibility |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
tmaier
force-pushed
the
claude/add-w3c-reporting-api-011CUQGcw4QBUpw2btyDZpba
branch
from
7443a2d to
7373ce9
Compare
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 8 out of 8 changed files in this pull request and generated no new comments.
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
tmaier
force-pushed
the
claude/add-w3c-reporting-api-011CUQGcw4QBUpw2btyDZpba
branch
from
7373ce9 to
6da4ee9
Compare
- Updated .rubocop.yml to use plugins instead of require for rubocop-performance - Auto-fixed 79 style offenses including: - Changed OrAssignment to use ||= operator - Converted class << self to def self. method definitions - Fixed hash literal brace spacing throughout specs - Manually fixed remaining GitHub/AvoidObjectSendWithDynamicMethod warning by using public_send with a disable comment for intentional dynamic dispatch in test code All rubocop checks now pass with 0 offenses.
tmaier
force-pushed
the
claude/add-w3c-reporting-api-011CUQGcw4QBUpw2btyDZpba
branch
from
6da4ee9 to
ea89038
Compare
Implements support for the W3C Reporting API (https://w3c.github.io/reporting/) to enable standardized browser reporting for security violations and other issues. Changes include: 1. New Reporting-Endpoints Header: - Added ReportingEndpoints header class to configure named reporting endpoints - Accepts hash configuration: { default: "https://example.com/reports" } - Generates header: Reporting-Endpoints: default="https://example.com/reports" 2. CSP report-to Directive: - Added report_to directive to Content Security Policy - New :string directive type for single token values - Positioned before legacy report-uri directive for clarity 3. Configuration Updates: - Registered reporting_endpoints in CONFIG_ATTRIBUTES_TO_HEADER_CLASSES - Added report_to to DIRECTIVES_3_0 (CSP Level 3) - Updated NON_FETCH_SOURCES to include report_to 4. Tests: - Complete test coverage for ReportingEndpoints header - CSP tests for report-to directive - Integration tests for both headers working together 5. Documentation: - Added W3C Reporting API section to README - Usage examples for both modern and legacy browser support - Configuration examples showing endpoint definition and CSP integration Addresses issue github#512 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
tmaier
force-pushed
the
claude/add-w3c-reporting-api-011CUQGcw4QBUpw2btyDZpba
branch
from
ea89038 to
23b35e7
Compare
Contributor
Author
|
I rebased this on #558 , since the rubocop issues reported are independent of this PR. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #512
Implements support for the W3C Reporting API (https://w3c.github.io/reporting/)
to enable standardized browser reporting for security violations and other issues.
Changes include:
New Reporting-Endpoints Header:
CSP report-to Directive:
Configuration Updates:
Tests:
Documentation:
Addresses issue #512
🤖 Generated with Claude Code
All PRs:
spec/lib/secure_headers/headers/reporting_endpoints_spec.rb- Tests for Reporting-Endpoints headerspec/lib/secure_headers/headers/content_security_policy_spec.rb- Tests for CSP report-to directiveAdding a new header: Reporting-Endpoints
Is the header supported by any user agent? If so, which?
Browser compatibility: https://caniuse.com/wf-reporting
What does it do?
The
Reporting-Endpointsheader defines named endpoints where browsers can send various types of reports using the W3C Reporting API. These reports include:It replaces the deprecated
Report-Toheader with a simpler, more efficient format.What are the valid values for the header?
A comma-separated list of endpoint definitions in the format:
name="url"Examples:
default="https://example.com/reports"default="https://example.com/reports", csp="https://example.com/csp"Each endpoint must have:
Where does the specification live?
Adding a new CSP directive: report-to
Is the directive supported by any user agent? If so, which?
Browser compatibility: https://caniuse.com/mdn-http_headers_content-security-policy_report-to
What does it do?
The
report-todirective specifies the name of a reporting endpoint (defined in theReporting-Endpointsheader) where the browser should send CSP violation reports. This is the modern replacement for thereport-uridirective.Key differences from
report-uri:What are the valid values for the directive?
A single token (string) representing the endpoint name defined in the
Reporting-Endpointsheader.Examples:
report-to default- References the "default" endpointreport-to csp-endpoint- References the "csp-endpoint" endpointUnlike
report-uri(which accepts an array of URLs),report-toaccepts only a single endpoint name.Where does the specification live?
Additional Notes:
For maximum browser compatibility, both
report-to(modern) andreport-uri(legacy) can be used simultaneously:Modern browsers will use
report-toand ignorereport-uri, while older browsers will fall back toreport-uri.