Re: disagree with Scott and Troy
With respect, some of those arguments don't really hold water. For a start, it not comparable to relying upon WAF to avoid worrying about input sanitisation. CSPs are effective to the extent that
1. The website has implemented it allowing only what is needed.
2. The browser reacts correctly to the directive
3. The site is designed in such a way to allow 1 to restrict enough things that miscreants might exploit.
It is only after 2 occurs that you can possibly receive an error report. Or looking from another angle, if the CSP didn't "save us", then neither could the owner "be informed" via the CSP rule. It is possible that my safety is improved because another user submitted a report from their browser where mine didn't react correctly. Which is a point that I made from the opposite angle. It is not their responsibility to protect me from my browser choice.
Do I have a specific exploit in mind? No, but miscreants are a lot more creative than me, but let's don my evil Adam1 hat and give it a go. A user may have some crazy notion that executing unverified code from a site who you have no prior knowledge about. So they may have scripts disabled either in the browser settings or via noscript etc. The site owner could still track by generating a fake rollover image at GUID.NewGUID().com and reconcile through the backend what I scrolled to etc. I imagine similar could be done to regenerate deleted cookies based on a browser fingerprint generated fake Uri.
That said, I don't have a fundamental problem with ubo providing users the option to whitelist specific report URIs or to even whitelist all same origin report URIs. It is problematic to generally assert that your service is fine because of your claimed privacy policy. That may be true (and fwiw I believe it to be true), but that is a point in time guarantee. There are plenty of examples of websites that were at one point highly trusted but over the years were sold to companies who sold to others and so on and today have quite ethically dubious practices. Look at other examples from plugins like adblock plus or wot which either changed how they operated or were less than upfront about it.
I would actually prefer that a CSP violation be treated like a broken cert than a silent telemetry. If the browser did not render the page but instead showed the message "Warning: This website attempted to download a resource in violation of its content security policy." with buttons like Get me out of here, add exception logic and a report error checkbox. Maybe we'll get there in a few years once CSP story improves across the board. You may argue warning fatigue here. That is certainly something to consider but to my mind if your site is running a script or downloading another resource that you, the website author, didn't expect, there are larger problems.
Biting the hand that feeds IT
