What should I do if I get an empty CSP violation?

Question

I use Content Security Policy. I get genuinely useful warnings like this:

CSP violation! 
{ 'csp-report':
    { 'document-uri': 'about:blank',
        referrer: '',
        'violated-directive': 'img-src \'self\' data: pbs.twimg.com syndication.twitter.com p.typekit.net',
        'original-policy': 'longPolicyGoesHere',
        'blocked-uri': 'https://platform.twitter.com',
        'source-file': 'https://platform.twitter.com',
        'line-number': 2 } }

Cool, I need to add 'platform.twitter.com' as an img-src

But sometimes I get blank CSP warnings like this:

CSP violation! 
{}

Ie, there's been a POST, but the JSON is empty. What do I do?

As mentioned Mike, I don't know the answer. Is this only Safari you are seeing this? How often etc? — jonathanKingston, Aug 19 '15 at 23:52

David Spector · Answer 1 · 2018-08-31T01:20:56.657

I found the problem in my case; it might not be the problem for you.

Since the CSP reporter calls the report-uri file with the POST method, I assumed that the $_POST variable would contain the posted data. This turned out to be false, because the data was not sent from a form or file upload (see PHP "php://input" vs $_POST).

The following code works for me perfectly (thanks to inspiration by the slightly buggy code in https://mathiasbynens.be/notes/csp-reports):

<?php
// Receive and log Content-Security-Policy report

// (WriteLog function omitted here: it just writes text into a log file)

$data=file_get_contents('php://input');
if (!$data) // Data is usually non-empty
    exit(0);

// Prettify the JSON-formatted data.
$val=json_decode($data);
$data = json_encode($val,JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES);
WriteLog($data);
?>

What should I do if I get an empty CSP violation?

1 Answers1