CDN on Azure App Services - possible to have Content-Security-Policy-Report-Only header?
Is it possible to implement the header for Content-Security-Policy-Report-Only on CDN on Azure App Services?
I am unable to add it with a blank value, and if I add a value that is valid for Content-Security-Policy, e.g. then it also fails.
if I add a value that is valid for Content-Security-Policy, e.g. then it also fails.
Content-Security-Policy-Report-Only header should have a mandatory report-uri or report-to directive, otherwise it will display a warning in the console that your header do nothing.
Content-Security-Policy-Report-Only header does not block, just sends reports about the intention to block something. So you can figure out missed sources and add these to appropriate directives.
You can use starter CSP, for example:
default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; report-uri https://YourReportHandler.com/csp-endpoint
Then check the violation reports and add sources blocked to the starter CSP.
Note. To handle violation reports you can use raygun.com / report-uri.com and similar third-party services or handle CSP report on your own, for example Save reports to Azure Table storage.