nico3333fr / csp-useful Goto Github PK
View Code? Open in Web Editor NEWCollection of scripts, thoughts about CSP (Content Security Policy)
License: MIT License
Collection of scripts, thoughts about CSP (Content Security Policy)
License: MIT License
Many of the WTFs are just the result of misconfigured CSP directives. For example:
Those are both lacking 'self'
for style-src
, so their styles are getting blocked.
A good chunk of the script-sample
entries fall into this category. Anything with blocked-uri: self
should be considered to be a misconfiguration--the developer is simply missing 'self'
.
I'm occasionally getting violation reports from Opera and Chrome saying that someone is setting their form-action to a data URL:
{
"csp-report": {
"document-uri": [SITE URL],
"effective-directive": "form-action",
"original-policy": "default-src [SITE URL]; style-src https: 'unsafe-inline'; img-src data: blob: https:; frame-src *; child-src * blob:; worker-src 'self' blob:; script-src https: 'unsafe-inline' 'report-sample' 'self' 'strict-dynamic' 'nonce-[removed]'; object-src 'none'; form-action [SITE URL]; report-uri [SITE URL]; report-to csproReportEndpoint;",
"blocked-uri": "data"
}
}
Does this make any sense to anyone?
This comes from the Reader Mode in Maxthon browser: http://wiki.maxthon.com/index.php/Maxthon_3_-_Reader_Mode
On old versions of Maxthon, a very strict CSP could also block Reader Mode entirely, but it has been fixed on the newer versions
Comes from https://easylist-downloads.adblockplus.org/easylist.txt (##.mod > ._jH + .rscontainer
in the middle) and some ad blocking extensions like uBlock Origin add the CSS in a <style> tag on the web page.
it is probably from an extension in your browser, it was a vk downloader one for me
if you are not using these services, uncomment these lines to enable other filters
https://github.com/nico3333fr/CSP-useful/blame/master/report-uri/csp-parser-enhanced.php#L1566
Shouldn't this be the opposite? When a website uses Google Fonts, we want to filter (out) the reports for Google Fonts and uncomment (= activate these lines) these rules.
What other filters?
61106b3
Using Chrome. None of the attempts seem to be making it beyond this error.
Hey bro!
fantastic repo!
I will prepare the report for the analyzer but while
What means when violations report a lack source-file?
I reading all specifications of csp2 / csp3 but I not found the reason
$tab_filter in csp-parser-enhanced.php contains a couple of entry that will never be triggered in foreach loop:
A new one, on which i haven't found any details yet : the "properties" blocked URI.
It is linked only with the "connect-src" directive, and applies on legit site URLs (standard pages of the website the CSP apply to).
It's this: https://chrome.google.com/webstore/detail/skype/lifbcibllhkdhoafpjfnlhfpfgnpldfl
Trying to find an email address to tell them their extension is broken.
This happens if you don't allow inline scripts--that is, <script>
with no src attribute, but rather embedded JavaScript. Inline JavaScript has to be explicitly allowed via 'inline'
.
Note that some analytics tools and other libraries may inject their own inline <script>
tags.
Hi,
not-explained/chrome.tab
is similar to
explained/window.klTabId_kis
{
"csp-report": {
"document-uri": "https://www.example.org/...",
"referrer": "",
"violated-directive": "img-src 'self'",
"original-policy": "default-src 'self';",
"blocked-uri": "https://www.example.org"
}
}
UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534+ (KHTML, like Gecko) BingPreview/1.0b
Where "example.org" is replaced by the live domain.
I guess it is something about Big Preview but I have no idea wtf is happening there. As 'self' is allowed so the domain the rule run on should be allowed.
Google Analytics can use three methods to send data. The criteria by which it determines which is the optimal default is unclear.
image
requires a img-src
directivexhr
requires a connect-src
directivebeacon
requires a connect-src
directive2 liens en plus pour la liste ;)
https://twitter.com/Scott_Helme/status/961612668992966656
https://scotthelme.co.uk/protect-site-from-cryptojacking-csp-sri/
https://github.com/nico3333fr/CSP-useful/blob/master/csp-wtf/not-explained.md#httpucgrepass
This is most likely a result of content injected by UC Browser. It's a popular browser in China and a few other countries in the region. It seems to have a habit of siphoning data from web pages that its users visit, as well as injecting analytics and possibly ads. This particular report may actually be from an extension designed for UC Browser.
This is adware/spyware/malware. Keep it blocked.
Hey guys. Not sure if you wanted reports as issues (sorry if not!), but I believe I may have found the source of the unknown 'wrcx' report:
https://github.com/vikeshkhanna/pointers/blob/master/youtube_files/iframe.htm
It's a Chrome extension 'to add seek markers / pointers to the YouTube timeline. You can add as many pointers you wish, drag them on the timeline, delete them and seek to that point in the video by clicking the marker. Extension uses content scripts, jquery and jquery-ui. ' - see https://github.com/vikeshkhanna/pointers
eval()
is considered unsafe and needs to be explicitly allowed with script-src 'eval'
, otherwise it will be blocked. Numerous frameworks and analytics libraries make use of eval()
.
Hello there,
I use HTML5 video element on my website and a strict Content-Security-Policy directive (default-src 'self'). I get this error message in Google Chrome console when I load for the first time a page with video element:
[Report Only] Refused to load the image '' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.
[Report Only] Refused to load the image 'data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPCEtLSBHZW5lcmF0b3I6IEFkb2JlIElsbHVzdHJhdG9yIDE5LjIuMSwgU1ZHIEV4cG9ydCBQbHVnLUluIC4gU1ZHIFZlcnNpb246IDYuMDAgQnVpbGQgMCkgIC0tPgo8c3ZnIHZlcnNpb249IjEuMSIgaWQ9IkxheWVyXzEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiIHg9IjBweCIgeT0iMHB4IgoJIHZpZXdCb3g9IjAgMCAxOTYgMTk2IiBzdHlsZT0iZW5hYmxlLWJhY2tncm91bmQ6bmV3IDAgMCAxOTYgMTk2OyIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+CjxwYXRoIGNsYXNzPSJzdDAiIGQ9Ik05OCw0OXY0Yy0yNC45LDAtNDUsMjAuMS00NSw0NQoJYzAsMTgsMTAuNiwzMy42LDI1LjksNDAuOGwtMS43LDMuNmMwLjEsMCwwLjIsMC4xLDAuMywwLjFjLTAuMSwwLTAuMi0wLjEtMC4zLTAuMWwwLDBDNjAuNSwxMzQuNSw0OSwxMTcuNiw0OSw5OAoJQzQ5LDcwLjksNzAuOSw0OSw5OCw0OXoiLz4KPC9zdmc+Cg==' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.
There is a total of 9 data:image violating CSP directive. These data:image are used for the controls of video element. If they are blocked it is impossible to use the video element.
I am aware of the possibility to use "img-src 'self' data:;" directive, but I would like to avoid this solution as it reduce the protection I could get from strict CSP directives.
I notice that HTML5 video element does not violate CSP directive when I use Edge or Firefox.
Is it possible to fix this issue ? Thank you.
chrome-extension:
will appear in reports when a Chrome extension attempts to inject a script, iframe, or other content into a page that doesn't explicitly allow the chrome-extension:
scheme. If users are complaining that their extensions aren't working on your site, this is why. Oftentimes they're injecting questionable content (e.g., ads or analytics), in which case you may want to deliberately omit this.
moz-extension
is the same thing, but for Firefox.
Depending on how the extension works and what browser is being used, about:blank
or other about:
URLs may appear instead of an extension scheme.
http://www.cspplayground.com/home
This link is added in the Resources section and is possibly redirecting to some website related to Counter-Strike Playground
https://github.com/nico3333fr/CSP-useful/blob/master/csp-wtf/not-explained.md#chromekango
Kango seems to be a firefox extension framework.
It can be from an extension using this framework.
The code base is still using Function('return this');
The latest version for ES6 is fine:
https://unpkg.com/[email protected]/build/pdf.js
However it is still there for ES5 build:
https://unpkg.com/[email protected]/es5/build/pdf.js
I do not want to allow script-src 'eval'
in my CSP provider.
Is there any plan to fix ES5 build?
Hi,
It looks like the cip-genpw-icon is coming from a browser extension called ChromeIPass and/or its Firefox counterpart PassIFox.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.