The report-uri is encoded when the header is compiled, and then escaped, causing https://example.com to be encoded as https%3A//example.com

The browser then interprets this as "https://www.mydomain.com/https%3A//example.com", which... maybe obviously, doesn't work very well.

#61 fixes this. We haven't tagged a release yet.

Hi @paragonie-security , I left a comment on the pull request earlier. I still get the behaviour after the merged fix: #62 (comment), even with the addition of the URL parameter. A downgrade to 2.7.0 resolved my particular issue

Resolved in latest release :)