When I turn on CSP logging, I get reports similar to this one:
CSP: Directive style-src *.mydomain.com fonts.googleapis.com violated.
Blocked URI: .
Data: stdClass Object
(
[document-uri] => http://mydomain.com/admin/config/system/seckit
[referrer] => http://mydomain.com/admin/config/system/seckit
[violated-directive] => style-src *.mydomain.com fonts.googleapis.com
[original-policy] => default-src *.mydomain.com; script-src *.mydomain.com maps.googleapis.com; style-src *.mydomain.com fonts.googleapis.com; report-uri /admin/config/system/seckit/csp-report
[blocked-uri] =>
[source-file] => http://mydomain.com/sites/all/modules/jquery_update/replace/jquery/1.5/j...
[line-number] => 16
[column-number] => 17400
[status-code] => 200
)
Because the blocked URI value is empty, I can't tell what's triggering the violation. I've looked through the source of the page in question, and I think I've got the proper rules in place to whitelist approved third-party sources. However, I keep getting these reports.
Comments
Comment #1
jweowu CreditAttribution: jweowu commentedThe report is generated by the user agent visiting the site, and SecKit logs the data it's given. If the user agent doesn't say what the blocked URI was, SecKit can't guess.
This *sounds* like a bug in the user-agent. If you're triggering these yourself, you could try using a different one? And if it happens with multiple different user-agents, then do some searching for why blocked-uri might be empty, and report back.
Comment #2
rajeev.cp@sreyas.com CreditAttribution: rajeev.cp@sreyas.com commentedI have the same issue. What i have to do ??
Comment #3
brad.bulger CreditAttribution: brad.bulger commentedI am seeing a bunch of entries saying the img-src directive was violated reporting blocked-uri as "data" - the literal word
is that this same issue - that this is somehow what was in the request?
Comment #4
jweowu CreditAttribution: jweowu at Catalyst IT commentedThat sounds like https://stackoverflow.com/questions/18447970
I.e. Adding
data:
with the trailing colon as one of your permittedimg-src
values would allow those URLs.Refer to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Securi...
Edit: Reworded to avoid any recommendation -- obviously you need to do what's correct for your own CSP.
Comment #5
brad.bulger CreditAttribution: brad.bulger commentedWhen the blocked-uri value is just "data" or "blob" - not "data:" - I don't know if that is supposed to be a hostname or if it is in fact the schema of that name. If blocked-uri should always be a URI - always have a schema - I guess that would tell me.
This is information coming from the requester, is that correct? It's what's in the HTTP request from the client?
Comment #6
jweowu CreditAttribution: jweowu at Catalyst IT commented> This is information coming from the requester, is that correct? It's what's in the HTTP request from the client?
Correct. The web site merely tells the user agent what the rules are, but it's the user agent which enforces the rules (and optionally reports any would-be violations that it suppressed). Drupal is then logging the content of the violation-report requests.