Reputation: 2029
Content-Security-Policy : Script-src 'self' not working in Firefox 78 Windows NT 10 for loading scripts from the same origin
We have the below CSP Report Only policy set which allows all the scripts to load from the same origin using 'Self'. But in browser Firefox 78 on Windows NT 10 it still reports loading script from same origin as error.
CspReport {
blockedUri='https://staging.global.com/app/ui/home/home.js',
documentUri='https://staging.global.com/app/ui/home/home.html',
violatedDirective='script-src'
disposition='null',
effectiveDirective='null',
originalPolicy='default-src 'none'; connect-src 'self' https://www.google-analytics.com; font-src 'self' data: https://fonts.gstatic.com; img-src 'self' data: blob: https://www.google-analytics.com https://www.googletagmanager.com https://ssl.gstatic.com https://www.gstatic.com; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://www.google-analytics.com https://www.googletagmanager.com https://tagmanager.google.com https://maps.googleapis.com; style-src 'self' 'unsafe-inline' https://tagmanager.google.com https://fonts.googleapis.com; manifest-src 'self'; frame-ancestors 'self'; frame-src 'self';
report-uri /app/report
}
Browser details :
userAgent='Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0'
CSP Policy :
'default-src 'none'; script-src 'self' 'unsafe-eval' 'unsafe-inline;
Please help to resolve this.
Thanks in advance.
Upvotes: 0
Views: 1957
Answers (1)
Reputation: 8496
You have added very helpful fields, therefore we can make investigation using Sherlock Holmes deduction method.
disposition='null'means we have a deal with not CSP3-browser. Thedispositionfield was introduced in CSP3 only and can be either "enforce" or "report".violatedDirective='script-src'+effectiveDirective='null'confirms guessing in para 1 above. According to CSP3 spec, both effectiveDirective and violatedDirective are the same value. This is intentional to maintain backwards compatibility.
Hence this violation report was definitely sent by CSP2 browser(or even CSP1). But Mozilla Firefox v78 have totally supports CSP3.
This means that you visitor did substitute user agent for some reason.
Your CSP is correct, legal Firefox browser should not send any report.
My guess is we have a deal with parser-bot which uses a legacy browser emulator. If you log an IP-addresses in reports you can check it via whois service to belongs sone public hosting.
Also "country by IP" could help to clear is it your real customer or not.
But one thing remains unclear - your apps have password protected access. Without auth the access is blocked on page which has not any CSP header.
Anyway for older browser support you can explicitly add https://staging.global.com into policy:
script-src 'self' 'unsafe-eval' 'unsafe-inline' https://staging.global.com;
and observe if this violation disappears or not.
Upvotes: 2
Related Questions
- How to override content security policy while including script in browser JS console?
- Content Security Policy violation on external Js Script
- Content security policy including a script
- Refused to load the script because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline'
- Refused to load scripts because it violates the following Content Security Policy directive
- Refused to execute inline script for Redocly
- Firefox refuses to load any scripts with strict-dynamic set
- Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”) firefox webextensions
- Content-Security-Policy HTTP header not working properly for script-src
- Why is inline script forbidden (Content Security Policy)?