我已经使用了一个仅限的Policy-Policy-Policy-Poly-Poly-Releply标题,并且一直在看到在同一CSP标头中允许列入多个域的违规行为。我将所有要允许列表的域放置在默认的SRC中,并且没有任何其他指令(除了nonce的样式SRC外)。我看到其他流量似乎通过了,当我在自己的浏览器上测试URL时,它会成功而没有任何违规行为。我一直在寻找背后的可能原因,这使我发表了帖子,例如,为什么script script-src-elem不使用脚本 - src的值作为倒计时? ,and https://csplite.com/csp277/
这些链接说该状态代码0当浏览器试图加载链接时,请求被阻止,并且由于广告阻滞剂而可能发生。我还看到了这些状态代码0违规报告,并过滤了状态代码0/空。但是,即使在更改之后,我仍然看到一些在允许名单的域以及状态代码200上违反的请求。这也可能是由于Adblockers造成的吗?
我确实注意到,通过扩展造成的某些违规行为将以源文件列为chrome-extension,因此不确定这是否可能是由于扩展而造成的。 我确实注意到的一件事是,如果报告中没有阻塞的URI,而默认SRC中未允许列表中未列出,则违反指令将是frame-src(默认为默认为默认的src,在没有域,因此预计违规)。但是,对于允许列表中的已阻止的URI的报告的情况,违反指令和有效的指令将是IMG-SRC(也应该默认为默认值,但也许它没有看到那里的允许域中的域)
示例报告
{"linenumber":"",
"request":"",
"documenturi":"mysite.com",
"originalpolicy":"default-src 'self' mysite.com *.redirectsite.com redirectsite.com; style-src 'nonce-d93e18cc'; report-uri /csp-reports",
"violateddirective":"img-src",
"statuscode":"200",
"referrer":"",
"scriptsample":"",
"effectivedirective":"img-src",
"columnnumber":"",
"requestheaders":"",
"blockeduri":"https://x.redirectsite.com/s........",
"sourcefile":""}
确实有人对此有任何经验吗?
I have been using a content-security-policy-report-only header for multiple weeks and have been seeing violations for multiple domains which are allowlisted in the same csp header. I placed all the domains I want to allowlist in the default src and don't have any other directives (other than style src for a nonce). I see other traffic which seem to pass and when I test the url on my own browser it succeeds without any violations. I have been looking at possible reasons behind this and that lead me to posts such as Content-Security-Policy Blocking Whitelisted Domains, Why is script-src-elem not using values from script-src as a fallback?, and https://csplite.com/csp277/
These links say that status code 0 or empty indicate the request was blocked while the browser tries to load the link and can happen due to ad blockers. I was also seeing these status code 0 violations reports and have filtered out status code 0/empty. But even after the change I still see a few requests that violate on allowlisted domains and with status code 200. Could this also be due to adblockers?
I did notice that some violations caused by extensions would list in source-file as chrome-extension so unsure if this could be due to extensions.
One thing I did notice was that if a report had a blocked uri that was not in the allow list in the default src, the violated directive would be a frame-src (which should default to default-src where there would be no domain so violation is expected). But in the case of a report with a blocked uri that was in the allow list, the violated directive and effective directive would be an img-src (which should also default to default but maybe it's not seeing the allowlisted domain there)
Example Report
{"linenumber":"",
"request":"",
"documenturi":"mysite.com",
"originalpolicy":"default-src 'self' mysite.com *.redirectsite.com redirectsite.com; style-src 'nonce-d93e18cc'; report-uri /csp-reports",
"violateddirective":"img-src",
"statuscode":"200",
"referrer":"",
"scriptsample":"",
"effectivedirective":"img-src",
"columnnumber":"",
"requestheaders":"",
"blockeduri":"https://x.redirectsite.com/s........",
"sourcefile":""}
Does anyone have any experience with this?
发布评论
评论(1)
最终从含量 - 安全性报道中切换到内容 - 安全性 - 政策标题,尽管看到了这些状态代码200违规行为。切换后,仍然看到状态代码0违规,但状态代码200消失了。也许这是一个错误,浏览器如何支持纯粹的Policy-Policy-Poly-Remelly标题。但最终为这个用户酶锻炼了。希望这对别人有帮助
Ended up switching from content-security-policy-report-only to content-security-policy header even though was seeing these status code 200 violations. After switching, still saw status code 0 violations but status code 200 disappeared. Perhaps it is a bug with how browsers support the content-security-policy-report-only header. But ended up working out for this usecase. Hope this helps someone else