Today, I finished the rollout of the new version of my CSP report collector. It collects Content Security Policy violations that the browsers register when the users interact with the service.
I started this project in 2019 after I repeatedly missed some pages of my setups. Since I used it on my static blog and on single page installations. There was no inherit value in the URLs and by not storing the IP addresses of the clients there was no data to be exploited.
After chatting with my friends of the Coredump.ch Hackerspace I agreed: for setups that have private information in the URL this setup was not ideal. So what is the minimal amount of data that we need?
- Users to Customers mapping
That leads us to the database relations:
Users <--- Users_Customers ---> Customers <--- Reports
I am a bit proud that I managed to complete the authentication without password or cookies. This allows me or my customers to use the service as a micro service down the line.
uBlock Origin: no reports from my own browser?
uBlock Origin on Firefox changed the default behaviour and blocks CSP reports by default now.
You can make an exception for your own domains without loosing the protection on the other sites:
- Open the settings of uBlock Origin
- Go to the
Temporary Rules: Add an exception for the domains that create the CSP Report
- By adding
no-csp-reports: estada.ch falseyou also include the Sub-Domains
- By adding
- Click the
Save permanentlybutton to persist the changes
- Trigger a report to verify that the exception works
For me the settings look like this:
I would like to use your service
First, thank you! I am currently offering this service to my friends on a ask nicely basis and my customers as a part of the whole package. So message me and we will work something out ☺
You can support my work in general here.