Skip to content

CSP report only mode #3556

Description

@Rich-Harris

Describe the problem

It's generally considered a good idea to enable content-security-policy-report-only before enabling CSP, just in case it will break a bunch of stuff.

Describe the proposed solution

With this config, the header name would be content-security-policy-report-only instead of content-security-policy. Everything else would be unchanged.

// svelte.config.js
export default {
  kit: {
    csp: {
      reportOnly: true,
      directives: {...}
    }
  }
};

Alternatives considered

No response

Importance

nice to have

Additional Information

No response

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions