The report-url directive can be used to tell the browser to flag up any policy infringements. This feature is useful for tracking down any policy errors during development and pilot operation and also allows attacks to be detected during normal operation. The one fly in the ointment, however, is that browser extensions can also generate policy infringements, so that not all reports will be policy errors or attacks.
For security reasons, the target has to be located in the same domain as the web site. To get the browser to send the report,
report-uri smoke-detector.php (for example) is added to the policy. This ensures that any policy infringements are sent to smoke-detector.php in the form of POST requests. The data is in JSON format and is even slightly more detailed than the warnings output in the console.
The script smoke-detector.php could, for example, write the report to the web server's error log:
error_log('CSP report from '.$_SERVER['REMOTE_ADDR'].': User Agent: .$_SERVER['HTTP_USER_AGENT'].' Error report: '.file_get_contents('php://input'));
Even where web space has been rented, it will usually be possible to access the PHP error report. With 1&1, for example, this requires that error reporting is first activated in the php.ini file located in the same directory as the PHP script. In this case, the location to which the error report should be saved has to be entered as an absolute path. The root directory can be determined using the PHP command
echo($_SERVER['‚REDIRECT_DOCUMENT_ROOT']);. To ensure that information about potential weak points on the web site is available to the webmaster only, the error report needs to be saved to a protected directory.