> 07.03.2017, 00:29, "Artur Janc" <aaj@google.com>:
> Your point about violation reports not being helpful is shared by many folks, but the snippets you pasted should actually be useful for debugging. A developer can grep their codebase for such strings to see if any legitimate inline scripts are being blocked. For external scripts, the blocked-uri should generally help the developer pinpoint the offending resource.
I know that this is not inline scripts. But their the further identification of doubtful.
> reporting the HTML environment of a violating script, it seems like an interesting idea -- can you explain what you mean in more detail?
The source script marked as 'self' ('inline') in report for all cases below:
1. This may be an attempt call to eval downloaded script.
2. It may be trying to insert in the document a 'script' element
3. It could be xss
4. This can be a CRLF or XST attack. For example, a hacker could insert extra \r\n and <script> tag after some header of the HTTP response and a code is now displayed in html.
5. Completely fake (or error) page with CDN or other side servers.
6. It can be an advertisement inserted by the provider
To identify these cases I need:
1. Need to know what function called the eval function. I must know the fact of eval call.
2. I need to know what it was trying to insert a script element. And how exactly the script.
3. Here I should understand that preceded the blocked script element.
In the case of the simplest error, I have code
and the hacker simply inserts a code that inserts unescaped from the get request.
Here I need to identify the div element. To understand what the request really is an xss issue. Roughly speaking, I need the ID of the nearest ancestor of the div element and the path to that item.
4. This attack will, most likely, in the beginning of the document. Even before the opening html. Need to know what it is.
5. To identify the error, I need to know the status of the request (which sends Chrome, but FireFox send not)
I don't know how to identify a fake
6. I need to know the html elements, to understand that there is correctly inserted ad code.
Similar to the "3" item
Ideally, I should get a few page hashes before and after the inserted code to make sure that the rest of the page is mine.