Content Security Policy violation details missing on report-uri
- Chrome correctly sends CSP reports "with a Content-Type header field of application/csp-report" according to CSP spec level 2 (https://www.w3.org/TR/CSP/#violation-reports)
- Other browsers are still sending
application/json
described in CSP spec level 1 - I'm accepting reports with nodejs + expressjs + body-parser. By default body-parser only parses requests with
content-type: application/json
Had to includeapplication/csp-report
as a valid content type to parse.
Changed this...
app.use(bodyParser.json());
To this...
app.use(bodyParser.json({type: ['application/json', 'application/csp-report']}));