Reporting API Demos

Supported by

Browser Reporting

This is a live reporting demo tool. Although you'll dive deep into the technologies mentioned below, you'll not dive very deep, and instead, we'll focus on the reporting side of things. The headers shown here are real headers sent by the server and received by your browser, with real values. You can click around and see how things behave and how reporting works. These demos also work on smaller screens and mobile devices, although sometimes it might be handy to use a desktop browser to open developer tools (F12, Ctrl/Cmd+Shift+I) and watch the Console and Network tabs. In Chrome, you can also use chrome://net-export/ (copy/paste the link) to see "hidden" asynchronous reports in exported logs. See my article about how to read the logs.

Not all of these use Reporting API, some are proprietary reporting mechanisms and you'll notice them easily – they don't use the Report-To header.

1. Content Security Policy report-uri
2. Content Security Policy report-to
3. More CSP report-to – load resources by specified URL, submit forms
4. CSP Report-Only report-uri – mixed content detection
5. CSP Report-Only report-to
6. Crash
7. Deprecation
8. Intervention
9. Network Error Logging
10. Permissions Policy
11. Permissions Policy in iframes
12. Permissions Policy Report-Only

Removed Browser Reporting

Browsers used to send some reports but don't anymore as these features have been (mostly) removed:

• XSS Auditor
• HTTP-based Public Key Pinning
• Expect-CT

Other Reporting

1. Certification Authority Authorization (CAA)
2. Domain-based Message Authentication, Reporting and Conformance (DMARC)
3. SMTP TLS Reporting (SMTP TLSRPT)

Trusted Types DOM-based XSS Prevention & Reporting

Trusted Types require you to escape the data before passing it to a property like innerHTML or a method like document.write(). These dangerous features that can execute arbitrary JavaScript are called sinks and when Trusted Types are enabled, these sinks only accept a TrustedHTML object. You can produce such objects by creating a policy and calling its createHTML() method. See my article about DOM-based XSS and Trusted Types for more details.

1. Injection Sinks Detection with Trusted Types and CSPRO
2. Prevent DOM-XSS with Trusted Types and a custom policy
3. Prevent DOM-XSS with Trusted Types and a default policy

Your Reports

• View your reports (kept for 30 days)
• Your canhas.report reporting subdomain is clue Change
• Instead, you can send reports to Report URI report aggregator and monitoring platform:
  1. Register or sign in
  2. Add canhas.report to Global Report Filters > Sites to collect reports for in Filters
  3. Go to Setup > Custom subdomain and copy Your current subdomain (ends with .report-uri.com), you can also customize it first
  4. Setup reporting to Report URI

Meta

• Source code
• The domain name can has is a reference to this meme

Tools

• report-uri.com Browser reporting aggregator ← I've worked on this one
• securityheaders.com Security headers tester
• Other testers: hardenize.com, observatory.mozilla.org