- From: Pawel Krawczyk <pawel.krawczyk@hush.com>
- Date: Wed, 3 Sep 2014 16:47:11 +0100
- To: public-webappsec@w3.org
- Message-ID: <6183b8486cfab983d5da15f3fe12cc9d@smtp.hushmail.com>
A small issue we have just discussed at GitHub https://github.com/w3c/webappsec/issues/52:
CSP violation reports sent when browser blocks eval() and inline script are identical in their contents, which makes it difficult to determine what really caused them.
In both cases the fields violated-directive will be set to script-scr and blocked-uri will be empty. So when I'm trying to analyse received reports I can't really say what I should allow - unsafe-eval or unsafe-inline. Sample fields extracted from such reports:
"blocked-uri":""
"violated-directive":"script-src 'none’"
The solution might be either sending some kind of meaningful blocked-url value - such as self-eval or self-inline, or adding an additional field to the report, such as blocked-feature set to eval or inline respectively.
Sample full report:
{"csp-report":{"document-uri":"http://webcookies.info/","referrer":"","violated-directive":"script-src
'none'","original-policy":"base-uri http://webcookies.info; connect-src 'none'; font-src 'none'; form-action 'none'; frame-ancestors 'none'; child-src 'none'; default-src 'none'; frame-src 'none'; img-src 'none'; media-src 'none';
object-src 'none'; script-src 'none'; style-src 'none'; report-uri http://new.cspbuilder.info:8080/report/9018643792216450862","blocked-uri":"","source-file":"http://pagead2.googlesyndication.com","line-number":101,"column-number":236,"status-code":200}}
--
Pawel Krawczyk
pawel.krawczyk@hush.com +44 7879 180015
CISSP, OWASP
Received on Thursday, 4 September 2014 12:10:42 UTC