I've been using CSP on my localhost server, and as well as normal CSP messages, have seen this:
{
"csp-report": {
"document-uri": "https://localhost:3000/",
"referrer": "",
"violated-directive": "script-src 'self' 'unsafe-eval' cdn.mxpnl.com js.stripe.com platform.twitter.com syndication.twitter.com use.typekit.net",
"effective-directive": "script-src",
"original-policy": veryLongPOlicyGoesHere,
"blocked-uri": "",
"source-file": "https://platform.twitter.com",
"line-number": 2,
"column-number": 28911,
"status-code": 0
}
}
Why is blocked-uri"
""
? What's causing this CSP warning?
While it may not be easy to parse, you can find information about that type of report in a CSP "fingerprint" project I ran for a while: https://gist.github.com/oreoshake/29edbf9aae8125f05b66
Empty blocked-uri
s indicate an inline script/style violation, an eval call, or an inline event handler/javascript:
href. Your violated-directive
allows eval
however.
If you can trigger the same error in a Firefox browser, you can inspect the script-sample
field. It may contain the content of the inline script or it may mention the event handler triggered or it will include "eval" in the message.
A very large number of unexpected reports in this format come from browser extensions, namely lastpass.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With