Reporting is a central mechanism for sending out-of-band error reports to origins from various other components (e.g. HTTP Public Key Pinning, Interventions, or Content Security Policy could potentially use it).
The parts of it that are exposed to the web platform are specified in the draft spec. This document assumes that you've read that one.
Reporting is implemented as part of the network stack in Chromium, such that it can be used by other parts of the network stack (e.g. HPKP) or by non-browser embedders as well as by Chromium.
//net
The top-level class is the ReportingService
. This lives in the URLRequestContext
, and provides the high-level operations used by other parts of //net
and other components: queueing reports, handling configuration headers, clearing browsing data, and so on.
A ReportingPolicy
specifies a number of parameters for the Reporting API, such as the maximum number of reports and endpoints to queue, the time interval between delivery attempts, whether or not to persist reports and clients across network changes, etc. It is used to create a ReportingService
obeying the specified parameters.
Within ReportingService
lives ReportingContext
, which in turn contains the inner workings of Reporting, spread across several classes:
The ReportingCache
stores undelivered reports and endpoint configurations (aka “clients” in the spec).
The ReportingHeaderParser
parses Report-To:
headers and updates the cache accordingly.
The ReportingDeliveryAgent
reads reports from the cache, decides which endpoints to deliver them to, and attempts to do so. It uses a couple of helper classes:
The ReportingUploader
does the low-level work of delivering reports: accepts a URL and JSON from the DeliveryAgent
, creates a URLRequest
, and parses the result. It also handles sending CORS preflight requests for cross-origin report uploads.
The ReportingEndpointManager
chooses an endpoint from the cache when one is requested by the ReportingDeliveryAgent
, and manages exponential backoff (using BackoffEntry
) for failing endpoints.
The ReportingGarbageCollector
periodically examines the cache and removes reports that have remained undelivered for too long, or that have failed delivery too many times.
The ReportingBrowsingDataRemover
examines the cache upon request and removes browsing data (reports and endpoints) of selected types and origins.
The ReportingDelegate
calls upon the NetworkDelegate
(see below) to check permissions for queueing/sending reports and setting/using clients.
The ReportingService
is set up in a URLRequestContext
by passing a ReportingPolicy
to the URLRequestContextBuilder
. This creates a ReportingService
which is owned by the URLRequestContextStorage
.
Report-To:
headers are processed by an HttpNetworkTransaction
when they are received, and passed on to the ReportingService
to be added to the cache.
//net
In the network service, a network::NetworkContext
queues reports by getting the ReportingService
from the URLRequestContext
.
The JavaScript ReportingObserver interface lives in //third_party/blink/renderer/core/frame/
.
NetworkContext
using a blink::mojom::ReportingServiceProxy
(implemented in //content/browser/net/
), which can queue Intervention, Deprecation, CSP Violation, and Feature Policy Violation reports.The ChromeNetworkDelegate
in //chrome/browser/net/
checks permissions for queueing reports and setting/using clients based on whether cookie access is allowed, and checks permissions for sending reports using a ReportingPermissionsChecker
, which checks whether the user has allowed report uploading via the BACKGROUND_SYNC permission.
Cronet can configure “preloaded” Report-To:
headers (as well as Network Error Logging headers) when initializing a CronetURLRequestContext
, to allow embedders to collect and send reports before having received a header in an actual response.