Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why would I get a CSP violation for the blocked-uri 'about'?

Tags:

My CSP report URI has received the following CSP violation:

{
  "csp-report":{
    "document-uri":"https://example.com/blog/somepage",
    "referrer":"",
    "violated-directive":"img-src 'self' data: p.typekit.net pbs.twimg.com platform.twitter.com q.stripe.com syndication.twitter.com",
    "effective-directive":"img-src",
    "original-policy": veryLongPolicyGoesHere,
    "blocked-uri":"about",
    "status-code":0
  }
}

Why would I get a CSP violation for the blocked-uri 'about'?

Is this the inbuilt about: URL from web browsers? I can't replicate the problem when I try.

like image 882
mikemaccana Avatar asked Sep 01 '15 16:09

mikemaccana


People also ask

What does err blocked by CSP mean?

What does blocked:csp mean? You may be seeing blocked:csp in Chrome developer tools when the browser is trying to load a resource. It might show up in the status column as (blocked:csp) CSP stands for Content Security Policy, and it is a browser security mechanism.

What is Report URI in CSP?

The deprecated HTTP Content-Security-Policy (CSP) report-uri directive instructs the user agent to report attempts to violate the Content Security Policy. These violation reports consist of JSON documents sent via an HTTP POST request to the specified URI.

What is blocked by Content Security Policy?

Content Security Policy blocks all resources that don't match it's policy. To view the policy for a specific website use the CSP Evaluator.

How do I enable CSP?

To enable CSP, you need to configure your web server to return the Content-Security-Policy HTTP header. (Sometimes you may see mentions of the X-Content-Security-Policy header, but that's an older version and you don't need to specify it anymore.)


2 Answers

I worked with the user to discover it is indeed the Disconnect extension that is causing this. I contacted the people making the extension, and they confirmed they block URIs by replacing them with about:blank; this is what is causing the CSP violations.

Until Disconnect fixes their blocking scheme, I think the best approach is to simply ignore the CSP violation reports when blocked-uri is about.

like image 88
Tomi Junnila Avatar answered Oct 24 '22 03:10

Tomi Junnila


I think I may have found a temporary workaround (until whatever causes about:blankon the page is fixed): adding about: to the directives that are violated. I tried adding it to the default-src, but I still received a violation report. I added it to img-src and script-src, and the violations did not show up.

like image 33
Tiffany Avatar answered Oct 24 '22 01:10

Tiffany