0

I've implemented a Content Security Policy on my application and it is live on report only mode for now to test. After tweaking the policy appropriately, I've been left with quite a few reports that look like this:

{
    "csp-report": {
        "blocked-uri": "self",
        "document-uri": "https://example.com/path/to/app/page.php",
        "original-policy": "script-src 'nonce-DrZQpFyD2k9sGWT5' https://example.com https://ajax.googleapis.com https://maps.googleapis.com; default-src https://example.com; style-src https://example.com 'unsafe-inline' https://maxcdn.bootstrapcdn.com; img-src * data:; font-src https://example.com https://maxcdn.bootstrapcdn.com; frame-src https://example.com; frame-ancestors https://example.com; form-action *; report-uri https://<>.report-uri.io/r/default/csp/reportOnly",
        "script-sample": "onmouseout attribute on DIV element",
        "source-file": "https://example.com/path/to/app/page.php?id=143",
        "violated-directive": "script-src 'nonce-DrZQpFyD/k9sGWT5' https://example.com https://ajax.googleapis.com https://maps.googleapis.com https://code.jquery.com/ "
    }
}

Most of the users of the application use Chrome but these reports exclusively come from Firefox. Sometimes the script sample says onmouseover or some other mouse event. I've looked through all of the code in the application and there isn't anywhere that uses attribute mouse events.

Any ideas as to what is causing this?

rink.attendant.6
  • 44,500
  • 61
  • 101
  • 156
  • Any externally-included code that uses mouse events, like Google Analytics? – cdhowie Jan 09 '17 at 19:50
  • @cdhowie The only externally included code on the pages that violation report is triggered is jQuery UI, but I haven't seen that violation from Edge, IE, or Chrome. – rink.attendant.6 Jan 09 '17 at 19:53
  • Possible duplicate of [Refused to load the script because it violates the following Content Security Policy directive](https://stackoverflow.com/q/31211359/608639) – jww Oct 19 '18 at 06:43

1 Answers1

1

Hard to say for sure. One possibility, however, is that some of your users have browser addons installed which are injecting HTML into your page which contains inline event handlers (like onmouseout, in this case).

Detecting this is difficult. There's no way to enumerate the addons a user has installed; the only options I'm aware of are to:

  1. Figure out which of your users are triggering this error and contact them directly -- which is only feasible if you have a close relationship with your users.

  2. Start installing popular Firefox addons! Eventually you might find the one that's responsible. (But you might not. It could be a private addon, or a Greasemonkey script.)