Reporting is a central mechanism for sending out-of-band error reports to origins from various other components (e.g. HTTP Public Key Pinning, Interventions, or Content Security Policy could potentially use it).
The parts of it that are exposed to the web platform are specified in the draft spec. This document assumes that you've read that one.
Reporting is implemented as part of the network stack in Chromium, such that it can be used by other parts of the network stack (e.g. HPKP) or by non-browser embedders as well as by Chromium.
The top-level class is the
ReportingService. This lives in the
URLRequestContext, and provides the high-level operations used by other parts of
//net and other components: queueing reports, handling configuration headers, clearing browsing data, and so on.
ReportingPolicy specifies a number of parameters for the Reporting API, such as the maximum number of reports and endpoints to queue, the time interval between delivery attempts, whether or not to persist reports and clients across network changes, etc. It is used to create a
ReportingService obeying the specified parameters.
ReportingContext, which in turn contains the inner workings of Reporting, spread across several classes:
ReportingCache stores undelivered reports and endpoint configurations (aka “clients” in the spec).
Report-To: headers and updates the cache accordingly.
ReportingDeliveryAgent reads reports from the cache, decides which endpoints to deliver them to, and attempts to do so. It uses a couple of helper classes:
ReportingUploader does the low-level work of delivering reports: accepts a URL and JSON from the
DeliveryAgent, creates a
URLRequest, and parses the result. It also handles sending CORS preflight requests for cross-origin report uploads.
ReportingEndpointManager chooses an endpoint from the cache when one is requested by the
ReportingDeliveryAgent, and manages exponential backoff (using
BackoffEntry) for failing endpoints.
ReportingGarbageCollector periodically examines the cache and removes reports that have remained undelivered for too long, or that have failed delivery too many times.
ReportingBrowsingDataRemover examines the cache upon request and removes browsing data (reports and endpoints) of selected types and origins.
ReportingDelegate calls upon the
NetworkDelegate (see below) to check permissions for queueing/sending reports and setting/using clients.
ReportingService is set up in a
URLRequestContext by passing a
ReportingPolicy to the
URLRequestContextBuilder. This creates a
ReportingService which is owned by the
Report-To: headers are processed by an
HttpNetworkTransaction when they are received, and passed on to the
ReportingService to be added to the cache.
In the network service, a
network::NetworkContext queues reports by getting the
ReportingService from the
NetworkContext using a
blink::mojom::ReportingServiceProxy (implemented in
//content/browser/net/), which can queue Intervention, Deprecation, CSP Violation, and Feature Policy Violation reports.
//chrome/browser/net/ checks permissions for queueing reports and setting/using clients based on whether cookie access is allowed, and checks permissions for sending reports using a
ReportingPermissionsChecker, which checks whether the user has allowed report uploading via the BACKGROUND_SYNC permission.
Cronet can configure “preloaded”
Report-To: headers (as well as Network Error Logging headers) when initializing a
CronetURLRequestContext, to allow embedders to collect and send reports before having received a header in an actual response.