Menu
I've seen the following Content Security Violation in my server's logs. When would there be a 'data:' type script-src? Isn't 'data:' only for e.g. base64 encoded images?
CSP violation!
{ 'csp-report':
{ 'blocked-uri': 'data:',
'document-uri': 'https://certsimple.com/blog/domain-validated-ssl',
'original-policy': longPolicyGoesHere,
referrer: '',
'violated-directive': 'script-src https://example.com https://use.typekit.net \'unsafe-inline\' https://js.stripe.com \'unsafe-eval\' https://platform.twitter.com https://cdn.mxpnl.com https://syndication.twitter.com' } }
949
data: is for base64 encoded, embedded data. While the most popular usage is to encode images into stylesheets to reduce the number of requests, that is not the only use. The URI scheme can be used for scripts like the following:
<script src="data:application/javascript;charset=utf-8;base64,YWxlcnQoJ1hTUycpOw=="></script>
Also available on jsfiddle.
The report you're seeing is legitimate, something is attempting to inject arbitrary javascript into your page using the Data URI scheme to obfuscate what it's doing. While this could be reflective of an issue in your application, it's more likely going to be a rogue browser extension that's either malicious and trying to do sneaky things or benign and very badly coded.
169
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
