Since there were a couple issues relating to it, I decided to do some tinkering in the area, and noticed a kind of unexpected behavior in the reporting system - the term 'self' ends up getting replaced by the local domain in CSP error messages and reports - DO NOT BE FOOLED. The entry is handled strictly as 'self' within the actual CSP logic - this can result in console errors and reports that mention a rule that redundantly says, for example, "base-uri https:\/\/mywebsite.com https:\/\/mywebsite.com https:\/\/*.mywebsite.com" when it in fact means "base-uri 'self' https:\/\/mywebsite.com https:\/\/*.mywebsite.com" and correctly behaves as such.
↧
