2

We have enabled "Content-Security-Policy-Report-Only" response header with "report-uri" directive to report all the violations.

        <param-name>Content-Security-Policy-Report-Only</param-name>
        <param-value>default-src 'none'; connect-src 'self' api.amplitude.com; font-src 'self';
            img-src 'self' script-src 'self' 'unsafe-eval'
            'unsafe-inline';style-src 'self' 'unsafe-inline';manifest-src
            'self';frame-ancestors 'none'; frame-src 'self';
            report-uri /myApp/api/v1/csp/report;</param-value>

Whenever there is a violation in the policy on load of the web page, browser will automatically make a POST call to our registered end point "/myApp/api/v1/csp/report" sending the JSON request with the violation.

But this call is failing with 403 - Forbidden.

Our application is also expecting a CSRF token in the request header for all the POST/PUT Http calls. Since this API call is made from browser automatically, its not sending the CSRF token which our application is expecting and hence failing. How can we add new HTTP header to this call which is made from browser automatically ?

Thanks in advance.

Yathish Manjunath
  • 1,919
  • 1
  • 13
  • 23

1 Answers1

2

You can’t.

You need to set the endpoint for the CSP errors so it doesn’t need a CSRF token.

This shouldn’t be a serious issue: The error reporting API you provide shouldn’t be able to do anything that really needs CSRF protection (like exposing personal data or posting content to the general public using the identity of the user).

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335