Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Chrome console error: The Content Security Policy was delivered in report-only mode, but does not specify a 'report-uri'

In Chrome 73.0.3683.103 console, as of today, I am seeing the following error:

The Content Security Policy 'script-src 'report-sample' 'nonce-PNYOS1z63mBa/Tqkqyii' 'unsafe-inline';object-src 'none';base-uri 'self'' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.

I believe this is from script src="https://apis.google.com/js/platform.js"... Everything seems to work. The initiator seems to be https://content.googleapis.com/static/proxy.html?usegapi=1...

What is causing this and how can I fix it?

Edit: As of today, I am no longer seeing the error. So I assume google has fixed this issue.

like image 745
Ted Scheckler Avatar asked Apr 05 '19 13:04

Ted Scheckler


2 Answers

If the parent page is owned by you there's a couple of things you can do to correct this. If the parent page is not owned by you, there's nothing you can do, but this warning won't affect your experience.

First some background:

What is CSP?

A Content Security Policy or CSP is a header your server can set which tells the browser to enforce a whitelist of what content can run on your page, where it can come from, and how it can run. For example, you can limit what domains JavaScript is allowed to be fetched from, whether JavaScript can run inline, or where JavaScript can make xhr calls out to.

CSP can run in two modes: blocking and reporting.

In blocking mode the browser enforces the policy laid out in the CSP and applies those restrictions to your webpage. In blocking mode you can optionally have any blocked content be reported back to an endpoint you specify in the report-uri directive of the CSP. In reporting mode nothing is blocked only things that would get blocked get reported to the endpoint specified in the policies report-uri directive.

Your specific issue

The browser warning says that you're running in reporting mode but you haven't specified a report-uri so it doesn't know where to report violations. In effect, your CSP is doing nothing other than wasting bandwidth because it's not reporting or blocking any issues it's finding.

That leaves you with a few options:

  1. Do nothing. Your CSP won't alert you about any issues (outside of messages in the console) and it won't block any content.
  2. Add a report-uri (something like report-uri: https://example.com/csp_reports) to receive requests. Even if you're not receiving anything at that endpoint your specific console warning will disappear (you'll still get console errors for specific CSP violations even if they aren't blocked).
  3. Switch the CSP into blocking mode. You won't receive any reports but the warning will disappear as the CSP now serves a purpose of blocking content. Caution don't do this if it's saying it's blocking a lot of things. That's indicative that your site might break. First, fix the issues it's blocking by adjusting the CSP or changing what resources you're using and then flip it into blocking mode.
    1. Switch the CSP into blocking mode and add a report-uri. Long term, this is best solution from a security standpoint but the warning from step 3 applies.

If it was me, I would first add a report-uri to understand what warnings my page is generating (note some might be triggered by browser extensions - nothing you can do about that, but that's okay). Once I understand the common warnings I'd tweak the CSP and what resources I have to make sure the page is loading without any warnings or errors in the console. Then I'd switch the CSP into blocking mode to take advantage of the security benefits it provides.

like image 169
winhowes Avatar answered Oct 15 '22 18:10

winhowes


This is related to the server/backend level settings.

If you have access to your server from where code is served, you can set the header settings. So currently Content-Security-Policy-Report-Only this has been set without all required parameters. You can just check there and either remove this header (if not required), or set the required parameters.

You can find the header details from here

like image 41
akbansa Avatar answered Oct 15 '22 19:10

akbansa