Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
262 views
in Technique[技术] by (71.8m points)

http headers - Content-Security-Policy Blocking Whitelisted Domains

My site has been running a content-security-policy-report-only header for several months, during which time I have seen a number of violations for a domain which should be whitelisted. The site receives enough traffic and the reports are infrequent enough that it seems as if the policy must be working as intended for most users.

The following report shows both the original policy and the problematic violation:

{"csp-report":{
    "document-uri":"https://admin1.sitespect.com/",
    "referrer":"https://admin1.sitespect.com/",
    "violated-directive":"script-src-elem",
    "effective-directive":"script-src-elem",
    "original-policy": "
        report-uri /log/CSP/PolicyViolations?csptoken=ZTBXXVPXFRBRTETZFOQK;
        default-src 'self' 'unsafe-eval' 'unsafe-inline';
        frame-src * data:;
        img-src * data: blob:;
        script-src https://www.google.com https://js.hs-scripts.com https://*.receptive.io https://js.hsadspixel.net https://js.hs-banner.com https://js.hs-analytics.net https://js.hscollectedforms.net https://feedback.pendo.io https://www.googletagmanager.com https://www.googleadservices.com https://googleads.g.doubleclick.net https://forms.hubspot.com https://api.feedback.eu.pendo.io https://js.usemessages.com 'self' 'unsafe-inline' 'unsafe-eval';
        script-src-elem https://www.google.com https://js.hs-scripts.com https://*.receptive.io https://js.hsadspixel.net https://js.hs-banner.com https://js.hs-analytics.net https://js.hscollectedforms.net https://feedback.pendo.io https://www.googletagmanager.com https://www.googleadservices.com https://googleads.g.doubleclick.net https://forms.hubspot.com https://api.feedback.eu.pendo.io https://js.usemessages.com 'self' 'unsafe-inline' 'unsafe-eval';
        connect-src https://api.feedback.eu.pendo.io https://api.hubapi.com https://forms.hubspot.com https://recs.sitespect.net https://*.receptive.io https://api.hubspot.com 'self';
        worker-src 'self' 'unsafe-eval' 'unsafe-inline' blob:;",
    "disposition":"report",
    "blocked-uri":"https://feedback.pendo.io/js/widget/widget.js",
    "status-code":0,
    "script-sample":""
}}

Is there something I've missed in my policy? I know that enforcement of the CSP is different across browsers occasionally - the violations from the past month have been from Chrome 87 based on user agents, but I can't guarantee that's the case for all of them.

question from:https://stackoverflow.com/questions/66052239/content-security-policy-blocking-whitelisted-domains

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

The answer is in the "status-code":0, string of the violation report. 0 (really it's empty) means no HTTP status code was returned when browser try to load https://feedback.pendo.io/js/widget/widget.js.

It happens because of Ads blokers blocks connection. The pendo.io domain contains in a blacklists for example AdBlock and AdGuard.

Browser can not access such "whitelisted" domain and it do not get any HTTP status code (200 OK, 301/304/403/404/500 etc). Therefore some browsers erroneously treats this as a CSP violation, not as network error.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...