Today, I finished the rollout of the new version of my CSP report collector. It collects Content Security Policy violations that the browsers register when the users interact with the service.

I started this project in 2019 after I repeatedly missed some pages of my setups. Since I used it on my static blog and on single page installations. There was no inherit value in the URLs and by not storing the IP addresses of the clients there was no data to be exploited.

New Features

After chatting with my friends of the Coredump.ch Hackerspace I agreed: for setups that have private information in the URL this setup was not ideal. So what is the minimal amount of data that we need?

• Users
• Customers
• Users to Customers mapping

That leads us to the database relations:

Users <--- Users_Customers ---> Customers <--- Reports

I am a bit proud that I managed to complete the authentication without password or cookies. This allows me or my customers to use the service as a micro service down the line.

uBlock Origin: no reports from my own browser?

uBlock Origin on Firefox changed the default behaviour and blocks CSP reports by default now.

You can make an exception for your own domains without loosing the protection on the other sites:

1. Open the settings of uBlock Origin
2. Go to the My rules tab
3. Unter Temporary Rules: Add an exception for the domains that create the CSP Report
   1. By adding no-csp-reports: estada.ch false you also include the Sub-Domains
4. Click the Save permanently button to persist the changes
5. Trigger a report to verify that the exception works

For me the settings look like this:

I would like to use your service

First, thank you! I am currently offering this service to my friends on a ask nicely basis and my customers as a part of the whole package. So message me and we will work something out ☺

You can support my work in general here.