Opened 6 years ago
Closed 6 years ago
#2102 closed enhancement (fixed)
Content security policy violations should not be reported to the server
| Reported by: | Nicklas Nordborg | Owned by: | everyone |
|---|---|---|---|
| Priority: | minor | Milestone: | BASE 3.11.2 |
| Component: | web | Version: | |
| Keywords: | Cc: |
Description
I have noticed that during the last weeks, the server logs are full of "Content security policy" violation reports. The strange thing is that they all have "blocked-uri":"self", even though the policy is set to default-src 'self'.
Investigations indicate that it might be AdBlock that is causing this. Browsers without AdBlock installed doesn't cause any log messages. It doesn't help to disable AdBlock on the BASE site.
Checking the DOM there are indeed scripts and event handlers that have been injected by AdBlock. I don't know why this suddenly appears as "Content Security Policy" violations. It could be a new version of AdBlock or the brower.
In any, case I think we there is no need to log this on the server side and that it should be disabled by default. If the server admin still wants logging, it can be enabled by including 'report-uri xxxx' in the CSP directive (configured in web.xml).
(In [7423]) Fixes #2102: Content security policy violations should not be reported to the server
Reportering CSP violations must now be configured in the web.xml file. Two actions are needed:
report-uristatement to the Content-Security-Policy header.csp-reportservlet.