Ability to define a "report-only" Content Security Policy
-
Wanted to request an addition to the Security tab for apps: a "Content Security Policy (Report Only)" text area, which would place field content into the
Content-Security-Policy-Report-Onlyheader.Adding a dedicated "report-only" header field would allow Cloudron users to test out and observe errors from more restrictive CSP directives, and then more confidently migrate them to the enforced "Content Security Policy" field that is already supported.
We are in the process of rolling out content security policies for a number of apps, and appreciate that Cloudron provides an easy way to do this from the app's Security tab. Like many others, we want to tread lightly when rolling out new CSP directives (since these can immediately break app functionality for end users), and have found starting new directives in the "report-only" CSP headers has made this easy.