MDN may have intermittent access issues April 18 13:00 - April 19 01:00 UTC. See whistlepig.mozilla.org for all notifications.

mozilla

Compare Revisions

Using CSP violation reports

Change Revisions

Revision 4733:

Revision 4733 by abarth on

Revision 4734:

Revision 4734 by abarth on

Title:
Using CSP violation reports
Using CSP violation reports
Slug:
Security/CSP/Using_CSP_violation_reports
Security/CSP/Using_CSP_violation_reports
Tags:
Security, "Content Security Policy"
Security, "Content Security Policy"
Content:

Revision 4733
Revision 4734
n16    <h2>n16    <h2 id="Enabling_reporting">
n28    <h2>n28    <h2 id="Violation_report_syntax">
n66    <h2>n66    <h2 id="Sample_violation_report">
n70      FIXMEn70      Let's consider a page located at&nbsp;<code><a class=" exte
 >rnal" href="http://example.com/signup.html" rel="freelink">http:/
 >/example.com/signup.html</a></code> that uses the following polic
 >y:
n72    <pre class="brush: js">n72    <div>
73      <pre>
74X-Content-Security-Policy: default-src 'self'; img-src 'self' *.e
 >xample.com; report-uri /_/csp-reports
75</pre>
76    </div>
77    <div>
78      If an attacker's web page hosted at&nbsp;<code>evil.example
 >.net</code> links to&nbsp;<code>signup.html</code> and tricks&nbs
 >p;<code>signup.html</code> into including&nbsp;<code>injected.png
 ></code>, the browser will send the following violation report as 
 >a POST request to <code><a class=" external" href="http://example
 >.com/_/csp-reports" rel="freelink">http://example.com/_/csp-repor
 >ts</a></code>:
79    </div>
80    <pre>
n77    "blocked-uri": "http://evil.example.net/image.png",n85    "blocked-uri": "http://evil.example.net/injected.png",
n79    "original-policy": "default-src 'self'; img-src 'self' *.examn87    "original-policy": "default-src 'self'; img-src 'self' *.exam
>ple.com",>ple.com; report-uri /_/csp-reports",
t83    <p>t91    <h2 id="See_also">
84      The MIME&nbsp;type of the transmitted report is <code>appli
>cation/json</code>. 
85    </p>
86    <h2>
87      Sample violation report
88    </h2>
89    <p>
90      Let's consider a page located at <span class="nowiki">http:
>//example.com/index.html</span>. This page is requested using the 
> GET&nbsp;method and HTTP&nbsp;1.1. 
91    </p>
92    <p>
93      The site has the following policy configured:
94    </p>
95    <pre>
96X-Content-Security-Policy: allow 'none'; img-src 'self'
97</pre>
98    <pre>
99{
100  "csp-report":
101    {
102      "request": "GET http://index.html HTTP/1.1",
103      "request-headers": "Host: example.com                      
>                                   
104                          User-Agent: Mozilla/5.0 (Macintosh; Int
>el Mac OS X 10.6; rv:2.0b8pre) Gecko/20101009 Firefox/4.0b8pre    
>                                                      
105                          Accept: text/html,application/xhtml+xml
>,application/xml;q=0.9,*/*;q=0.8   
106                          Accept-Language: en-us,en;q=0.5        
>                                   
107                          Accept-Encoding: gzip,deflate          
>                                   
108                          Accept-Charset: ISO-8859-1,utf-8;q=0.7,
>*;q=0.7                            
109                          Keep-Alive: 115                        
>                                   
110                          Connection: keep-alive",
111      "blocked-uri": "http://evil.com/some_image.png",
112      "violated-directive": "img-src 'self'",
113      "original-policy": "allow 'none'; img-src 'self'"
114    }
115}
116</pre>
117    <h2>

Back to History