Hmm that generated header looks strange can you show me the list of aproved reports from com_csp?

I have updated the issue... I screwed it good and proper this time haha

Im guessing you are not meant to just publish enable all the reports :-) but thinking like a user, that is what people will do.

There is also no way now to "disable" the header because the admin console cannot work with no JS

Maybe a plain HTML rescue button would be a good idea..

Anyway, Im not sure this is a valid issue that needs fixing. More a "I broke it by acting like a user"....

Actually I can get to options to disable it, but I cannot click the circles to unpublished reports until I disable the header.

Actually I can get to options to disable it, but I cannot click the circles to unpublished reports until I disable the header.

By Default the backend should not be affected by the headers as the default is site only. Have you changed that option?

Please re open here so we can keep track of the issue. That component is far from perfekt and your feedback and tests are very good so we can see and discuss how and where to improve.

@PhilETaylor can we please follow up on this one and re open here sonwe can start identifing and fixing the problems reported here?

I was waiting until I had time to revisit and replicate and redocument this issue which I still have not had time to do. Reopening now anyway.

Great. Thanks and no need to hurry i just wanted it reopen and you on board that it does not get lost. The replicate and redocument steps would be great so we can also see what settings you had etc. But again no need to hurry on this. ?

Maybe its just me not understanding what "detect" mode is meant to be doing.

Im assuming that if I enabled "detect" mode and go and browse around the site, the site will ping the reporting URL with every asset that would have been blocked, and which needs to be whitelisted in the CSP - and then I can just visit the rules and publish them all to get a decent CSP ... that's what a user would do Im pretty sure.

Here is a video: https://www.youtube.com/watch?v=RTi_ahlFbjc

Also note towards the end of the video where the SVG for the green "Configuration saved" message should be is not there.

Please check: #31132 and thanks for that video it helped a lot to understand and see the issue with Safari vs Chrome :D

Im assuming that if I enabled "detect" mode and go and browse around the site, the site will ping the reporting URL with every asset that would have been blocked, and which needs to be whitelisted in the CSP - and then I can just visit the rules and publish them all to get a decent CSP ... that's what a user would do Im pretty sure.

Just to confirm yes that is the intended process. But in this case the directive passed to the reporter was not vanilla but also included more stuff than intended so that caused some issues.

I have now also added a special handling for data reports to that PR too. So for now i would like to close here in reference to the PR mention. Thanks!