i’m trying to receive csp reports for my magento2 (open-source) website using their official guide:
https://developer.adobe.com/commerce/php/development/security/content-security-policies/
and using an endpoint generated from report-uri.com
this is config.xml:
<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Store:etc/config.xsd">
<default>
<csp>
<mode>
<storefront>
<report_only>1</report_only>
<report_uri>https://*mysubdomain*.report-uri.com/r/d/csp/reportOnly</report_uri>
</storefront>
<admin>
<report_uri>https://*mysubdomain*.report-uri.com/r/d/csp/reportOnly</report_uri>
<report_only>1</report_only>
</admin>
</mode>
</csp>
</default>
</config>
and then i created a csp_whitelist.xml as well.
I can see the reports being generated correctly in the report-uri dashboard ONLY when i’m navigating on firefox.
I tried doing the same with Chrome and Opera but neither work. I looked into the headers and the endpoint is being correctly set up in Content-Security-Policy-Report-Only like this:
report-uri https://*mysubdomain*.report-uri.com/r/d/csp/reportOnly/; report-to report-endpoint;
here’s the report-uri dashboard:
Can anyone tell me why reports are only working on firefox?