Just for documentation, as I'm not sure why it's done that way:
here the full URL is available but only the domain is saved. As @zero-24 did a lot of changes here, perhaps he can explain?

Solution is here: #31641 (comment) ;-)

We just need to have someone with the time to make a PR with that changes.

Two things I don't like at the solution:

1. it uses parse_url instead of Uri (internal checks etc.)
2. Wildly saving a full url with all parameters looks for me like a good way to open up a gate for potential XSS as any URL can be send in the request + there is a high potential that an admin opens the url to check the page for the stuff, because the list is really lacking important information (which script etc)

Agree feel free to send a PR that uses uri vs parse_url.

Wildly saving a full url with all parameters looks for me like a good way to open up a gate for potential XSS as any URL can be send in the request + there is a high potential that an admin opens the url to check the page for the stuff, because the list is really lacking important information (which script etc)

Agree on the XSS stuff any ideas to solve it?

There is an issue open on the CSP specs site. Right now we could only get a short part of the script but not the full or even better the script hash to whitelist it.
w3c/webappsec-csp#378

With

• the absence of URL being displayed
• the lack of info about which script
• the potential for serious xss issues if the url is displayed
• the absence of any helpful information suitable for the typical Joomla user
  this should be removed from 4.0 and pushed back to 4.1. Its just nowhere near release ready sadly

Trying to use this in the real world and even on a site that only has five pages the reports are completely useless

Agree thats the reason i proposed the change that still allows the full url to be shown as before the other PR.

closing as we have a PR #32893