Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Content Security Policy violation details missing on report-uri

Tags:

node.js

google-chrome

express

body-parser

content-security-policy

Chrome is reporting Content Security Policy violations to the report-uri, but it reports no violation details. It reports {} instead of providing details regarding the violated policy. All other browsers seem to be reporting violation details fine. My policy is provided below.

I've tried...

  1. putting the full absolute path in the report-uri directive.
  2. taking the policy out of Report-Only mode
  3. making the policy much simpler e.g. default-src 'none' ; report-uri /api/csp-report;
  4. turning off all my extensions (although I am seeing this in a production site from win & osx visitors with chrome)
  5. testing in Canary
  6. "Reported an issue" in chrome (I'm guessing it hasn't even been triaged yet)

Questions I haven't found an answer for yet

  1. Is this implemented in Chrome yet?
  2. Does the implementation differ from the spec?

The Policy (Delivered via HTTP Header)

Content-Security-Policy-Report-Only: default-src 'none' ; script-src 'self' 'unsafe-eval' https://www.google-analytics.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' https://www.google-analytics.com ; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://api.servicesite.com; frame-src 'none' ; child-src 'none' ; frame-ancestors 'none' ; form-action 'self' ; upgrade-insecure-requests; block-all-mixed-content; reflected-xss block; base-uri https://*.mysite.com; referrer origin-when-cross-origin; report-uri /api/csp-report;

Update... Mar-16-2016

  • Chrome is sending the report. I see the request body in network tab. Also logging it in intermediary nginx proxy.

That leads me to think this is a parsing issue in my receiving code (node, express using body-parser). However, still confounded as to why this would only happen for Chrome CSP reports. All other browser's reports pass though just fine.

like image 779
heme Avatar asked Feb 08 '23 11:02

heme

1 Answers

  • Chrome correctly sends CSP reports "with a Content-Type header field of application/csp-report" according to CSP spec level 2 (https://www.w3.org/TR/CSP/#violation-reports)
  • Other browsers are still sending application/json described in CSP spec level 1
  • I'm accepting reports with nodejs + expressjs + body-parser. By default body-parser only parses requests with content-type: application/json Had to include application/csp-report as a valid content type to parse.

Changed this...

app.use(bodyParser.json());

To this...

app.use(bodyParser.json({type: ['application/json', 'application/csp-report']}));

like image 163
heme Avatar answered Feb 16 '23 02:02

heme
Sign in to Comment

Related questions

RabbitMQ with NodeJS - using amqplib to get message count
WinstonJS custom levels
Setting environment variables in package.json scripts under Windows
How to restart iisnode?
How do I write a Node.js module to handle an incoming piped stream
Socket.io io.use fails - TypeError: io.use is not a function
Mongoose unique validation error even though unique constraint is not there
Node SHA-256 Base64 Digest
DB query is returning undefined value in node.js with oracledb
MongoDB ensurIndex and createIndex using nodeJS?
What is the URL to a heroku git repository?
How to call stored procedure in strongloop
I can use app.locals directly in templates but not res.locals
Visual Studio Code - Debug Node JS through TypeScript
Programmatically install a npm package, providing --save-dev flag
npm cannot find module
Express/Webpack failing on dokku and heroku
Force JSON.stringify to escape forward slash (i.e. `\/`)
Render view with anchor tag in express.js
Error: mongoose-auto-increment has not been initialized

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!