Report-Sample-Injector

This addon edits the CSP header(s) to include a missing 'report-sample' for certain directives if a report-uri endpoint is included.

This addon edits incoming CSP header(s) to include the 'report-sample' value for the 'script-src', 'script-src-elem', 'script-src-attr', 'style-src', 'style-src-elem', and 'style-src-attr' directives, only if the specific directive is present and does not include 'report-sample', and the directive 'report-uri' is present with an endpoint specified. This addon assumes that, if a developer specifies a report-uri endpoint within the CSP, they are interested in receiving violation reports. However, without an explicit 'report-sample' value for certain directives, the reports might (the behaviour is browser-dependent at the moment) look indistinguishable for different kinds of violations (e.g., inline handlers vs. inline scripts vs. javascript URIs for script-src). The keyword 'report-sample', when specified for certain CSP directives, makes compliant browsers include the first 40 characters of the code that caused the violation in the report that is POSTed to the report-uri endpoint. By injecting 'report-sample' where it is missing, if report-uri is present, this addon aims to help developers understand which portion of the website code is responsible for the violation(s).