Menu
Is it possible to detect a Content Security Policy violation with javascript?
My CSP works and sends its reports, where I see that some urls are injected, probably by browser addons. I would like to display a hint to the user, that some addon tries to modify the page.
Can I somehow detect the aborted connection with javascript (which is itself whitelisted in the CSP of course)?
999
To test for misconfigurations in CSPs, look for insecure configurations by examining the Content-Security-Policy HTTP response header or CSP meta element in a proxy tool: unsafe-inline directive enables inline scripts or styles making the applications susceptible to XSS attacks.
If scripts are loaded from a whitelisted domain in the AngularJS application, then it is possible to bypass CSP policy. This can be done by calling a callback function and vulnerable class.
According to the W3C CSP specification, a violation triggers a securitypolicyviolation event. You can add an event listener for this.
document.addEventListener("securitypolicyviolation", function(e) {
alert("Something is trying something bad!");
});
See the above link for the properties of this event.
In Firefox Release, you need to enable the security.csp.enable_violation_events preference to enable this feature. See Experimental Features in Firefox documentation.
97
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
