My CSP report URI has received the following CSP violation:
{
"csp-report":{
"document-uri":"https://example.com/blog/somepage",
"referrer":"",
"violated-directive":"img-src 'self' data: p.typekit.net pbs.twimg.com platform.twitter.com q.stripe.com syndication.twitter.com",
"effective-directive":"img-src",
"original-policy": veryLongPolicyGoesHere,
"blocked-uri":"about",
"status-code":0
}
}
Why would I get a CSP violation for the blocked-uri 'about'?
Is this the inbuilt about:
URL from web browsers? I can't replicate the problem when I try.
What does blocked:csp mean? You may be seeing blocked:csp in Chrome developer tools when the browser is trying to load a resource. It might show up in the status column as (blocked:csp) CSP stands for Content Security Policy, and it is a browser security mechanism.
The deprecated HTTP Content-Security-Policy (CSP) report-uri directive instructs the user agent to report attempts to violate the Content Security Policy. These violation reports consist of JSON documents sent via an HTTP POST request to the specified URI.
Content Security Policy blocks all resources that don't match it's policy. To view the policy for a specific website use the CSP Evaluator.
To enable CSP, you need to configure your web server to return the Content-Security-Policy HTTP header. (Sometimes you may see mentions of the X-Content-Security-Policy header, but that's an older version and you don't need to specify it anymore.)
I worked with the user to discover it is indeed the Disconnect extension that is causing this. I contacted the people making the extension, and they confirmed they block URIs by replacing them with about:blank
; this is what is causing the CSP violations.
Until Disconnect fixes their blocking scheme, I think the best approach is to simply ignore the CSP violation reports when blocked-uri
is about
.
I think I may have found a temporary workaround (until whatever causes about:blank
on the page is fixed): adding about:
to the directives that are violated. I tried adding it to the default-src
, but I still received a violation report. I added it to img-src
and script-src
, and the violations did not show up.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With