Opened 5 weeks ago

Closed 3 weeks ago

#2102 closed enhancement (fixed)

Content security policy violations should not be reported to the server

Reported by: nicklas Owned by: everyone
Priority: minor Milestone: BASE 3.11.2
Component: web Version:
Keywords: Cc:

Description

I have noticed that during the last weeks, the server logs are full of "Content security policy" violation reports. The strange thing is that they all have "blocked-uri":"self", even though the policy is set to default-src 'self'.

Investigations indicate that it might be AdBlock that is causing this. Browsers without AdBlock installed doesn't cause any log messages. It doesn't help to disable AdBlock on the BASE site.

Checking the DOM there are indeed scripts and event handlers that have been injected by AdBlock. I don't know why this suddenly appears as "Content Security Policy" violations. It could be a new version of AdBlock or the brower.

In any, case I think we there is no need to log this on the server side and that it should be disabled by default. If the server admin still wants logging, it can be enabled by including 'report-uri xxxx' in the CSP directive (configured in web.xml).

Change History (1)

comment:1 Changed 3 weeks ago by nicklas

  • Resolution set to fixed
  • Status changed from new to closed

(In [7423]) Fixes #2102: Content security policy violations should not be reported to the server

Reportering CSP violations must now be configured in the web.xml file. Two actions are needed:

  • Add a report-uri statement to the Content-Security-Policy header.
  • Enable the csp-report servlet.
Note: See TracTickets for help on using tickets.