W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2014

CSP reports on eval() and inline

From: Pawel Krawczyk <pawel.krawczyk@hush.com>
Date: Wed, 3 Sep 2014 16:47:11 +0100
Message-ID: <6183b8486cfab983d5da15f3fe12cc9d@smtp.hushmail.com>
To: public-webappsec@w3.org
A small issue we have just discussed at GitHub https://github.com/w3c/webappsec/issues/52:

CSP violation reports sent when browser blocks eval() and inline script are identical in their contents, which makes it difficult to determine what really caused them.

In both cases the fields violated-directive will be set to script-scr and blocked-uri will be empty. So when I'm trying to analyse received reports I can't really say what I should allow - unsafe-eval or unsafe-inline. Sample fields extracted from such reports:


"violated-directive":"script-src 'none’"

The solution might be either sending some kind of meaningful blocked-url value - such as self-eval or self-inline, or adding an additional field to the report, such as blocked-feature set to eval or inline respectively.
Sample full report:

 'none'","original-policy":"base-uri http://webcookies.info; connect-src 'none'; font-src 'none'; form-action 'none'; frame-ancestors 'none'; child-src 'none'; default-src 'none'; frame-src 'none'; img-src 'none'; media-src 'none';
 object-src 'none'; script-src 'none'; style-src 'none'; report-uri http://new.cspbuilder.info:8080/report/9018643792216450862","blocked-uri":"","source-file":"http://pagead2.googlesyndication.com","line-number":101,"column-number":236,"status-code":200}}

Pawel Krawczyk
pawel.krawczyk@hush.com +44 7879 180015

Received on Thursday, 4 September 2014 12:10:42 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:40 UTC