Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cloudfront: Support Content-Security-Policy-Report-Only header #29006

Open
2 tasks
dillonstreator opened this issue Feb 6, 2024 · 3 comments
Open
2 tasks

cloudfront: Support Content-Security-Policy-Report-Only header #29006

dillonstreator opened this issue Feb 6, 2024 · 3 comments
Labels
@aws-cdk/aws-cloudfront Related to Amazon CloudFront effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p3

Comments

@dillonstreator
Copy link

dillonstreator commented Feb 6, 2024
edited
Loading

Describe the feature

Support setting 'report-only' mode for CSP in the ResponseHeadersPolicy
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only

Use Case

The HTTP Content-Security-Policy-Report-Only response header allows web developers to experiment with policies by monitoring (but not enforcing) their effects. These violation reports consist of JSON documents sent via an HTTP POST request to the specified URI.

Proposed Solution

Add a field ResponseHeadersContentSecurityPolicy.reportOnly as an optional boolean that defaults to false. Internally, this could tack the -Report-Only suffix to the header.

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

2.126.0

Environment details (OS name and version, etc.)

n/a
@dillonstreator dillonstreator added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Feb 6, 2024
@github-actions github-actions bot added the @aws-cdk/aws-cloudfront Related to Amazon CloudFront label Feb 6, 2024
@msambol
Copy link
Contributor

msambol commented Feb 7, 2024

I think this can be done with CustomHeadersConfig ?https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-responseheaderspolicy-customheadersconfig.html

@dillonstreator
Copy link
Author

@msambol thank you for this callout! This does work and unblocks the use case. I still think the ergonomics/discoverability/DX would be greatly improved if ResponseHeadersContentSecurityPolicy directly supported a reportOnly field to manage this.

@tim-finnigan
Copy link

Thanks for the feature request and workaround noted above, linking documentation for reference: https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.ResponseHeadersContentSecurityPolicy.html

@tim-finnigan tim-finnigan self-assigned this Feb 7, 2024
@tim-finnigan tim-finnigan added investigating This issue is being investigated and/or work is in progress to resolve the issue. and removed needs-triage This issue or PR still needs to be triaged. investigating This issue is being investigated and/or work is in progress to resolve the issue. labels Feb 7, 2024
@tim-finnigan tim-finnigan removed their assignment Feb 7, 2024
@tim-finnigan tim-finnigan added p2 effort/medium Medium work item – several days of effort labels Feb 7, 2024
@dillonstreator dillonstreator mentioned this issue Feb 8, 2024
Closed
1 task
@github-actions github-actions bot mentioned this issue Mar 1, 2024
Closed
@pahud pahud added p3 and removed p2 labels Jun 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-cloudfront Related to Amazon CloudFront effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p3
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(cloudfront): reportOnly flag on ResponseHeadersContentSecurityPolicy dillonstreator/aws-cdk
4 participants
@pahud @msambol @dillonstreator @tim-finnigan