Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
260 views
in Technique[技术] by (71.8m points)

http headers - Content-Security-Policy Blocking Whitelisted Domains

My site has been running a content-security-policy-report-only header for several months, during which time I have seen a number of violations for a domain which should be whitelisted. The site receives enough traffic and the reports are infrequent enough that it seems as if the policy must be working as intended for most users.

The following report shows both the original policy and the problematic violation:

{"csp-report":{
    "document-uri":"https://admin1.sitespect.com/",
    "referrer":"https://admin1.sitespect.com/",
    "violated-directive":"script-src-elem",
    "effective-directive":"script-src-elem",
    "original-policy": "
        report-uri /log/CSP/PolicyViolations?csptoken=ZTBXXVPXFRBRTETZFOQK;
        default-src 'self' 'unsafe-eval' 'unsafe-inline';
        frame-src * data:;
        img-src * data: blob:;
        script-src https://www.google.com https://js.hs-scripts.com https://*.receptive.io https://js.hsadspixel.net https://js.hs-banner.com https://js.hs-analytics.net https://js.hscollectedforms.net https://feedback.pendo.io https://www.googletagmanager.com https://www.googleadservices.com https://googleads.g.doubleclick.net https://forms.hubspot.com https://api.feedback.eu.pendo.io https://js.usemessages.com 'self' 'unsafe-inline' 'unsafe-eval';
        script-src-elem https://www.google.com https://js.hs-scripts.com https://*.receptive.io https://js.hsadspixel.net https://js.hs-banner.com https://js.hs-analytics.net https://js.hscollectedforms.net https://feedback.pendo.io https://www.googletagmanager.com https://www.googleadservices.com https://googleads.g.doubleclick.net https://forms.hubspot.com https://api.feedback.eu.pendo.io https://js.usemessages.com 'self' 'unsafe-inline' 'unsafe-eval';
        connect-src https://api.feedback.eu.pendo.io https://api.hubapi.com https://forms.hubspot.com https://recs.sitespect.net https://*.receptive.io https://api.hubspot.com 'self';
        worker-src 'self' 'unsafe-eval' 'unsafe-inline' blob:;",
    "disposition":"report",
    "blocked-uri":"https://feedback.pendo.io/js/widget/widget.js",
    "status-code":0,
    "script-sample":""
}}

Is there something I've missed in my policy? I know that enforcement of the CSP is different across browsers occasionally - the violations from the past month have been from Chrome 87 based on user agents, but I can't guarantee that's the case for all of them.

question from:https://stackoverflow.com/questions/66052239/content-security-policy-blocking-whitelisted-domains

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

The answer is in the "status-code":0, string of the violation report. 0 (really it's empty) means no HTTP status code was returned when browser try to load https://feedback.pendo.io/js/widget/widget.js.

It happens because of Ads blokers blocks connection. The pendo.io domain contains in a blacklists for example AdBlock and AdGuard.

Browser can not access such "whitelisted" domain and it do not get any HTTP status code (200 OK, 301/304/403/404/500 etc). Therefore some browsers erroneously treats this as a CSP violation, not as network error.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...