This might only be captured in older PR testing steps, or be just tribal knowledge for now:
- Enabling CSP in local development:
For local dev, the right env variables need to be set to right values to be able to develop/debug with CSP to trigger the headers be emitted at all, to see the effect on changes both in code, or to the CSP values.
Some steps are e.g. in testing instructions here: mozilla/bedrock#15557 however I think the reporting percentage also needs setting to 100% in env to be reliable.
- Why would Report-Only show warnings/errors in console over missing endpoint:
When outside of the reporting sample percentage cohort, the Report-Only headers will be there, just without the reporting endpoint, for debugging reasons, so that has come up e.g. here mozmeao/springfield#690 (comment) as something to be aware of, and thus documented.
This might only be captured in older PR testing steps, or be just tribal knowledge for now:
For local dev, the right env variables need to be set to right values to be able to develop/debug with CSP to trigger the headers be emitted at all, to see the effect on changes both in code, or to the CSP values.
Some steps are e.g. in testing instructions here: mozilla/bedrock#15557 however I think the reporting percentage also needs setting to 100% in env to be reliable.
When outside of the reporting sample percentage cohort, the Report-Only headers will be there, just without the reporting endpoint, for debugging reasons, so that has come up e.g. here mozmeao/springfield#690 (comment) as something to be aware of, and thus documented.