Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why is this a CSP violation? blocked-uri = self when 'self' is explicitly allowed

Tags:

content-security-policy

I cannot wrap my head around the CSP violation report below (sent by FireFox 44.0.2 / Ubuntu). What is really being blocked here and why? It should be noted that it does not matter if I write 'self' or (as gets automatically translated in the report) https://www.example.com into the CSP header. Also, I am not aware of anything missing from the rendered page. So what can I do against it? (Apparently, I should not add reporting in my live site if every page triggers a fake violation report)

{
    "csp-report":{
        "blocked-uri":"self",
        "document-uri":"https://www.example.com/foo/bar/baz.html",
        "original-policy":"report-uri https://reportserver.example.com/ContentSecurityPolicy-report.php; 
            default-src https://www.example.com; 
            style-src https://example.com https://www.example.com https://fonts.googleapis.com; 
            script-src https://www.example.com https://code.jquery.com https://ajax.googleapis.com; 
            font-src https://fonts.gstatic.com",
        "referrer":"https://www.example.com/foo/bar/wtf.html",
        "source-file":"https://www.example.com/foo/bar/baz.html",
        "violated-directive":"style-src https://example.com https://www.example.com https://fonts.googleapis.com"
    }
}
like image 636
Hagen von Eitzen Avatar asked Feb 19 '16 16:02

Hagen von Eitzen

People also ask

What is blocked CSP?

What does blocked:csp mean? You may be seeing blocked:csp in Chrome developer tools when the browser is trying to load a resource. It might show up in the status column as (blocked:csp) CSP stands for Content Security Policy, and it is a browser security mechanism.

How do you fix refused to load the script because it violates the following content security policy directive?

To fix the issue you have to add `https://localhost:5000` host-source to the script-src directive. Alternatively you can use syntax 'https://localhost:*' to allow any ports.

What is CSP report?

The deprecated HTTP Content-Security-Policy (CSP) report-uri directive instructs the user agent to report attempts to violate the Content Security Policy. These violation reports consist of JSON documents sent via an HTTP POST request to the specified URI.

1 Answers

By setting your policy to:

default-src 'self'; style-src example.com www.example.com 'self' https://fonts.googleapis.com 'unsafe-inline'; script-src 'self' https://code.jquery.com https://ajax.googleapis.com; font-src https://fonts.gstatic.com 'self';

I don't see any violations. I added the 'unsafe-inline' to style src, and 'self' to font-src.

like image 83
oreoshake Avatar answered Oct 14 '22 01:10

oreoshake
Sign in to Comment

Related questions

Replacing X-Frame-Options with CSP
Do I need CSP for a Web API?
Content security policy blocking remote CSS background image
Using CSP (Content Security Policy) with a custom protocol
"Lighthouse was unable to download a robots.txt file" despite the file being accessible
Firebase + Chrome content security policy settings?
Firebase Header CSP Rules
Respond with *.js.erb using nonce strategy for CSP
Google Analytics sends tracking to a country domain, so it gets blocked by CSP
CSP hash or nonce for inline JS within attribute
Violates the following Content Security Policy directive
Required CSP rules for Facebook login
Content Security Policy allow inline style without unsafe-inline
Which HTML elements are nonceable?
Is it possible to have CSP only apply to the parent frame, not any iframes?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!