In Chrome 73.0.3683.103 console, as of today, I am seeing the following error:
The Content Security Policy 'script-src 'report-sample' 'nonce-PNYOS1z63mBa/Tqkqyii' 'unsafe-inline';object-src 'none';base-uri 'self'' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
I believe this is from script src="https://apis.google.com/js/platform.js"... Everything seems to work. The initiator seems to be https://content.googleapis.com/static/proxy.html?usegapi=1...
What is causing this and how can I fix it?
Edit: As of today, I am no longer seeing the error. So I assume google has fixed this issue.
If the parent page is owned by you there's a couple of things you can do to correct this. If the parent page is not owned by you, there's nothing you can do, but this warning won't affect your experience.
First some background:
A Content Security Policy or CSP is a header your server can set which tells the browser to enforce a whitelist of what content can run on your page, where it can come from, and how it can run. For example, you can limit what domains JavaScript is allowed to be fetched from, whether JavaScript can run inline, or where JavaScript can make xhr calls out to.
CSP can run in two modes: blocking and reporting.
In blocking mode the browser enforces the policy laid out in the CSP and applies those restrictions to your webpage. In blocking mode you can optionally have any blocked content be reported back to an endpoint you specify in the report-uri
directive of the CSP. In reporting mode nothing is blocked only things that would get blocked get reported to the endpoint specified in the policies report-uri
directive.
The browser warning says that you're running in reporting mode but you haven't specified a report-uri
so it doesn't know where to report violations. In effect, your CSP is doing nothing other than wasting bandwidth because it's not reporting or blocking any issues it's finding.
That leaves you with a few options:
report-uri
(something like report-uri: https://example.com/csp_reports
) to receive requests. Even if you're not receiving anything at that endpoint your specific console warning will disappear (you'll still get console errors for specific CSP violations even if they aren't blocked).report-uri
. Long term, this is best solution from a security standpoint but the warning from step 3 applies.If it was me, I would first add a report-uri
to understand what warnings my page is generating (note some might be triggered by browser extensions - nothing you can do about that, but that's okay). Once I understand the common warnings I'd tweak the CSP and what resources I have to make sure the page is loading without any warnings or errors in the console. Then I'd switch the CSP into blocking mode to take advantage of the security benefits it provides.
This is related to the server/backend level settings.
If you have access to your server from where code is served, you can set the header settings. So currently Content-Security-Policy-Report-Only
this has been set without all required parameters. You can just check there and either remove this header (if not required), or set the required parameters.
You can find the header details from here
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With