Reputation: 113
Chrome not reporting CSP violations
For some reason, Chrome (or at least my Chrome) isn't reporting CSP violations. It correctly refuses to display prohibited content, but it doesn't report the violation. By way of comparison, Firefox reports the violation just fine.
Consider this page. Your browser should not display an image in that page, because that image is from a prohibited URL. Chrome does that part just fine. However, Chrome does not obey the report-to or report-uri directives (I have both). Again, Firefox obeys those directives.
I understand that a browser may choose not report redundant violations, but that's not the case here. I've tried using different urls and none of them produce reports.
I'm using Chrome Version 75.0.3770.90 (Official Build) (64-bit)
Any help is appreciated.
Upvotes: 6
Views: 3465
Answers (1)
Reputation: 1900
You may listen 'securitypolicyviolation' event and report manually
if(window.chrome /* and if not setting report-to using HTTP response headers */) {
document.addEventListener('securitypolicyviolation', (e)=> {
let reportToUrl='https://example.com/csp-reports'; // change it
fetch(reportToUrl, {
method: 'POST',
headers: {
'Content-Type': 'application/csp-report'
},
body: JSON.stringify({
'csp-report':{
'blocked-uri': e.blockedURI,
'document-uri': e.documentURI,
'original-policy': e.originalPolicy,
'referrer': e.referrer,
'script-sample': e.sample,
'source-file': e.sourceFile,
'violated-directive': e.violatedDirective
}
}),
credentials: "omit",
cache: "no-cache",
referrerPolicy: "no-referrer"
});
});
}
2023 update
HTTP response headers below should work.
First:
Report-To: { "group": "csp-endpoint",
"max_age": 5,
"endpoints": [
{ "url": "https://example.com/csp-reports" }
] }
then
Content-Security-Policy: report-to csp-endpoint;
or
Content-Security-Policy-Report-Only: report-to csp-endpoint;
Upvotes: 4
Related Questions
- CSP header fails with "Refused to apply inline style..." but I have already added the hash
- Debugging CSP violation in Google Chrome
- form-action CSP blocking allowed URL
- Why doesn't Chrome respect my Content Security Policy hashes?
- Content Security Policy violation event is not triggered
- Content Security Policy ignored by Latest Chrome Update
- Chrome with CSP img-src * still blocks images
- Chrome 63 seems to ignore or break on worker-src CSP headers
- content_security_policy not taking effect in Chrome Extension
- Issue With Content Security Policy in Chrome Extension