1

I am setting up Content security policy. I have set up basic rules in report-only mode for testing.

I keep getting reports for blocked script but the source is only data:

 "csp-report": {
        "blocked-uri": "data",
        "document-uri": "http://www.example.com/page.html",
        "original-policy": "default-src http://www.example.com ...
        "violated-directive": "script-src 'unsafe-inline' http://www.example.com http://www.google-analytics.com;"
    }

I cannot reproduce the report even if I go to the same page with same browser type as visitor who caused this report. From CSP documentation I could not find anything about source called data.

The page http://www.example.com/page.html is mainly static html but has Google analytics script between <script> tags:

<script type="text/javascript">
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject'...
</script>

The same script is used on other pages of my site including the frontpage. Yet only the page page.html generates these reports about blocked data.

What is this uri data that gets blocked? Is it something from my site or something external that the visitors browser tried to load?

Madoc Comadrin
  • 498
  • 1
  • 12
  • 27
  • 1
    See these a lot too. Suspect browser extensions. Really annoying as leads to a lot of noise in CSP reports denting their usefulness :-( – Barry Pollard Mar 29 '16 at 19:57

1 Answers1

2

Quick question about the reports: do they happen across one browser or all?

If only one browser: script-src violations with blocked-uri: data are likely noise from plugins. The pattern of loading javascript via data URLs probably aren't coming from you.

If all browsers: If you aren't using the pattern, perhaps one of your libraries is. Google analytics does not use the pattern.

See https://twitter.com/Scott_Helme/status/710164802925142017 for a quick discussion.

Note: allowing script-src data: is very dangerous, or at least as dangerous as 'unsafe-inline'. Source: http://webreflection.blogspot.com/2011/08/simulate-script-injection-via-data-uri.html

oreoshake
  • 4,712
  • 1
  • 31
  • 38
  • The reports are mostly caused by Firefox and a few cases of Chrome. But only by some users of those browsers. Since `script-src data:` is so risky I will avoid allowing it. (And hopefully get rid of `unsafe inline` soon). – Madoc Comadrin Mar 30 '16 at 05:57
  • That's great! I see you've already disallowed eval. If you'd like some tips on removing the inline script, I wrote this years ago: http://oreoshake.github.io/csp/2013/01/13/removing-inline-js-for-csp.html – oreoshake Mar 30 '16 at 16:52
  • I've found Google Analytics causing data-uri blocking messages ... I wonder if there's a way to specify which sources are allowed to do data-uri and which aren't? – Louis St-Amour Jul 23 '16 at 21:22
  • Never mind, I suspect it was caused by this async downloading script: https://developers.google.com/analytics/devguides/collection/analyticsjs/ I'll try a different approach to loading GA... – Louis St-Amour Jul 23 '16 at 21:25
  • Actually, it was this: http://icompile.eladkarako.com/you-cant-really-adblock-google-analytics-on-chrome/ -- but it's not as it seems. This isn't sent by Google... – Louis St-Amour Jul 23 '16 at 21:31
  • See: http://stackoverflow.com/questions/27945501/307-redirect-when-loading-analytics-js-in-chrome for instructions on how to determine which Chrome plugin is causing this and https://gist.github.com/eddywashere/fbd3a79104dfb1fbb971 for an example of uBlock Origin's. – Louis St-Amour Jul 23 '16 at 21:34