You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We don't currently enable CSP violation reports on www.mozilla.org.
This is partly because it's likely to be incredibly noisy with false positives (things like Add Ons will try to inject legitimate things, which get blocked by the rules, and if we get told about every instance of this, that'd be a lot.
Also, if we choose to use Sentry as our reporting backend (like we do for future.m.o) the volume of false positives across 100% of our traffic would rapidly exhaust the allocated Sentry quota.
As a rough ballpark I'm assuming at least two millions pages served per day, so intially setting X to 0.5% would be ~10k pages a day. Worst-case, if every single one of those had a CSP violation on it, that's still well within our quota and would be easy to spot/tune/disable if need be.
Success Criteria
Bedrock has a new setting for the CSP report header, pointing to the default Sentry profile for Dev/Stage/Prod/Test/Demo
0.5% of pages are served with the report-uri header, which points to an appropriate Sentry profile - we can check this by loading ~200 pages with script and checking the headers.
The text was updated successfully, but these errors were encountered:
Description
We don't currently enable CSP violation reports on www.mozilla.org.
This is partly because it's likely to be incredibly noisy with false positives (things like Add Ons will try to inject legitimate things, which get blocked by the rules, and if we get told about every instance of this, that'd be a lot.
Also, if we choose to use Sentry as our reporting backend (like we do for future.m.o) the volume of false positives across 100% of our traffic would rapidly exhaust the allocated Sentry quota.
However, while exploring django-csp, I found there is a setting that enables us to report for just X% of violations.
As a rough ballpark I'm assuming at least two millions pages served per day, so intially setting X to 0.5% would be ~10k pages a day. Worst-case, if every single one of those had a CSP violation on it, that's still well within our quota and would be easy to spot/tune/disable if need be.
Success Criteria
The text was updated successfully, but these errors were encountered: