CODEWITHSUNDEEP
content-security-policy
mikemaccana
mikemaccana

Reputation: 123048

Why would I get a CSP violation for the blocked-uri 'about'?

My CSP report URI has received the following CSP violation:

{
  "csp-report":{
    "document-uri":"https://example.com/blog/somepage",
    "referrer":"",
    "violated-directive":"img-src 'self' data: p.typekit.net pbs.twimg.com platform.twitter.com q.stripe.com syndication.twitter.com",
    "effective-directive":"img-src",
    "original-policy": veryLongPolicyGoesHere,
    "blocked-uri":"about",
    "status-code":0
  }
}

Why would I get a CSP violation for the blocked-uri 'about'?

Is this the inbuilt about: URL from web browsers? I can't replicate the problem when I try.

Upvotes: 26

Views: 7184

Answers (2)

Tiffany
Tiffany

Reputation: 707

I think I may have found a temporary workaround (until whatever causes about:blankon the page is fixed): adding about: to the directives that are violated. I tried adding it to the default-src, but I still received a violation report. I added it to img-src and script-src, and the violations did not show up.

Upvotes: 5

Tomi Junnila
Tomi Junnila

Reputation: 7543

I worked with the user to discover it is indeed the Disconnect extension that is causing this. I contacted the people making the extension, and they confirmed they block URIs by replacing them with about:blank; this is what is causing the CSP violations.

Until Disconnect fixes their blocking scheme, I think the best approach is to simply ignore the CSP violation reports when blocked-uri is about.

Upvotes: 28

Related Questions