Reputation: 307
Content-Security-Policy Blocking Whitelisted Domains
My site has been running a content-security-policy-report-only header for several months, during which time I have seen a number of violations for a domain which should be whitelisted. The site receives enough traffic and the reports are infrequent enough that it seems as if the policy must be working as intended for most users.
The following report shows both the original policy and the problematic violation:
{"csp-report":{
"document-uri":"https://admin1.sitespect.com/",
"referrer":"https://admin1.sitespect.com/",
"violated-directive":"script-src-elem",
"effective-directive":"script-src-elem",
"original-policy": "
report-uri /log/CSP/PolicyViolations?csptoken=ZTBXXVPXFRBRTETZFOQK;
default-src 'self' 'unsafe-eval' 'unsafe-inline';
frame-src * data:;
img-src * data: blob:;
script-src https://www.google.com https://js.hs-scripts.com https://*.receptive.io https://js.hsadspixel.net https://js.hs-banner.com https://js.hs-analytics.net https://js.hscollectedforms.net https://feedback.pendo.io https://www.googletagmanager.com https://www.googleadservices.com https://googleads.g.doubleclick.net https://forms.hubspot.com https://api.feedback.eu.pendo.io https://js.usemessages.com 'self' 'unsafe-inline' 'unsafe-eval';
script-src-elem https://www.google.com https://js.hs-scripts.com https://*.receptive.io https://js.hsadspixel.net https://js.hs-banner.com https://js.hs-analytics.net https://js.hscollectedforms.net https://feedback.pendo.io https://www.googletagmanager.com https://www.googleadservices.com https://googleads.g.doubleclick.net https://forms.hubspot.com https://api.feedback.eu.pendo.io https://js.usemessages.com 'self' 'unsafe-inline' 'unsafe-eval';
connect-src https://api.feedback.eu.pendo.io https://api.hubapi.com https://forms.hubspot.com https://recs.sitespect.net https://*.receptive.io https://api.hubspot.com 'self';
worker-src 'self' 'unsafe-eval' 'unsafe-inline' blob:;",
"disposition":"report",
"blocked-uri":"https://feedback.pendo.io/js/widget/widget.js",
"status-code":0,
"script-sample":""
}}
Is there something I've missed in my policy? I know that enforcement of the CSP is different across browsers occasionally - the violations from the past month have been from Chrome 87 based on user agents, but I can't guarantee that's the case for all of them.
Upvotes: 2
Views: 1705
Answers (1)
Reputation: 8496
The answer is in the "status-code":0, string of the violation report. 0 (really it's empty) means no HTTP status code was returned when browser try to load https://feedback.pendo.io/js/widget/widget.js.
It happens because of Ads blokers blocks connection. The pendo.io domain contains in a blacklists for example AdBlock and AdGuard.
Browser can not access such "whitelisted" domain and it do not get any HTTP status code (200 OK, 301/304/403/404/500 etc). Therefore some browsers erroneously treats this as a CSP violation, not as network error.
Upvotes: 2
Related Questions
- Content Security Policy as a blacklist
- How to check what is blocked through Content-Security-Policy?
- How do you whitelist a specific domain for a specific content security policy directive, while having a less specific directive for other domains?
- Content Security Policy is Blocking URI in Allowed Domain
- Header set Content-Security-Policy not handling multiple domains correctly
- Content Security Policy Headers Blocking Allowed Domains
- Whitelist multiple domains in content security policy
- Content-Security-Policy refused to connect to
- Content security policy not working
- 'Unrecognized Content-Security-Policy directive' error when specifying any domain