Support report-to CSP directive and Reporting-Endpoints header (#7374) #7380
Conversation
| { | ||
| synchronized (SUBSTITUTION_LOCK) | ||
| { | ||
| _previousBaseServerUrl = baseServerUrl; |
There was a problem hiding this comment.
Should be fine for our purposes given how infrequently the base URL changes, but in theory another thread could come along after _previousBaseServerUrl has been updated but before the rest of the reset has happened, and end up with a mix of old and new values
There was a problem hiding this comment.
I wanted to avoid synchronizing on every request, of course. I should probably set _previousBaseServerUrl at the end of the block (or outside the block) to make this less likely. The other scenario (multiple requests seeing a stale base server URL and duplicating the work) is then more likely to happen, but this shouldn't be a problem. If I make a change, it'll be in a future develop PR.
There was a problem hiding this comment.
Another strategy would be to create a record or other immutable data structure to hold _policyTemplate and _reportingEndpointsHeaderValue. That way you could swap in new values atomically.
I don't think any of these problems is likely in the real world, so making any revisions (if at all) in develop sounds good.
There was a problem hiding this comment.
I like that idea. We'd have to add _policyExpression into the record as well.
Rationale
Back port to support report-to CSP directive in 26.2
Also, limit ImpersonatingTroubleshooter permissions to the root