When I turn on CSP logging, I get reports similar to this one:

CSP: Directive style-src *.mydomain.com fonts.googleapis.com violated.
Blocked URI: .
Data: stdClass Object
(
[document-uri] => http://mydomain.com/admin/config/system/seckit
[referrer] => http://mydomain.com/admin/config/system/seckit
[violated-directive] => style-src *.mydomain.com fonts.googleapis.com
[original-policy] => default-src *.mydomain.com; script-src *.mydomain.com maps.googleapis.com; style-src *.mydomain.com fonts.googleapis.com; report-uri /admin/config/system/seckit/csp-report
[blocked-uri] =>
[source-file] => http://mydomain.com/sites/all/modules/jquery_update/replace/jquery/1.5/j...
[line-number] => 16
[column-number] => 17400
[status-code] => 200
)

Because the blocked URI value is empty, I can't tell what's triggering the violation. I've looked through the source of the page in question, and I think I've got the proper rules in place to whitelist approved third-party sources. However, I keep getting these reports.

Comments

jweowu’s picture

Status: Active » Closed (works as designed)

The report is generated by the user agent visiting the site, and SecKit logs the data it's given. If the user agent doesn't say what the blocked URI was, SecKit can't guess.

This *sounds* like a bug in the user-agent. If you're triggering these yourself, you could try using a different one? And if it happens with multiple different user-agents, then do some searching for why blocked-uri might be empty, and report back.

rajeev.cp@sreyas.com’s picture

I have the same issue. What i have to do ??

brad.bulger’s picture

I am seeing a bunch of entries saying the img-src directive was violated reporting blocked-uri as "data" - the literal word

is that this same issue - that this is somehow what was in the request?

jweowu’s picture

That sounds like https://stackoverflow.com/questions/18447970

I.e. Adding data: with the trailing colon as one of your permitted img-src values would allow those URLs.

Refer to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Securi...

Edit: Reworded to avoid any recommendation -- obviously you need to do what's correct for your own CSP.

brad.bulger’s picture

When the blocked-uri value is just "data" or "blob" - not "data:" - I don't know if that is supposed to be a hostname or if it is in fact the schema of that name. If blocked-uri should always be a URI - always have a schema - I guess that would tell me.

This is information coming from the requester, is that correct? It's what's in the HTTP request from the client?

jweowu’s picture

> This is information coming from the requester, is that correct? It's what's in the HTTP request from the client?

Correct. The web site merely tells the user agent what the rules are, but it's the user agent which enforces the rules (and optionally reports any would-be violations that it suppressed). Drupal is then logging the content of the violation-report requests.