nico3333fr / csp-useful Goto Github PK

Many of the WTFs are just the result of misconfigured CSP directives. For example:

• https://github.com/nico3333fr/CSP-useful/blob/master/csp-wtf/not-explained.md#many-css-class-names-in-this-file
• https://github.com/nico3333fr/CSP-useful/blob/master/csp-wtf/not-explained.md#arelnofollow

Those are both lacking 'self' for style-src, so their styles are getting blocked.

A good chunk of the script-sample entries fall into this category. Anything with blocked-uri: self should be considered to be a misconfiguration--the developer is simply missing 'self'.

I'm occasionally getting violation reports from Opera and Chrome saying that someone is setting their form-action to a data URL:

{
"csp-report": {
"document-uri": [SITE URL],
"effective-directive": "form-action",
"original-policy": "default-src [SITE URL]; style-src https: 'unsafe-inline'; img-src data: blob: https:; frame-src *; child-src * blob:; worker-src 'self' blob:; script-src https: 'unsafe-inline' 'report-sample' 'self' 'strict-dynamic' 'nonce-[removed]'; object-src 'none'; form-action [SITE URL]; report-uri [SITE URL]; report-to csproReportEndpoint;",
"blocked-uri": "data"
}
}

Does this make any sense to anyone?

This comes from the Reader Mode in Maxthon browser: http://wiki.maxthon.com/index.php/Maxthon_3_-_Reader_Mode

On old versions of Maxthon, a very strict CSP could also block Reader Mode entirely, but it has been fixed on the newer versions

https://github.com/nico3333fr/CSP-useful/blob/master/csp-wtf/not-explained.md#root-mod--_jh--rscontainer

Comes from https://easylist-downloads.adblockplus.org/easylist.txt (##.mod > ._jH + .rscontainer in the middle) and some ad blocking extensions like uBlock Origin add the CSS in a <style> tag on the web page.

it is probably from an extension in your browser, it was a vk downloader one for me

if you are not using these services, uncomment these lines to enable other filters

https://github.com/nico3333fr/CSP-useful/blame/master/report-uri/csp-parser-enhanced.php#L1566

Shouldn't this be the opposite? When a website uses Google Fonts, we want to filter (out) the reports for Google Fonts and uncomment (= activate these lines) these rules.

What other filters?
61106b3

Using Chrome. None of the attempts seem to be making it beyond this error.

Hey bro!
fantastic repo!

I will prepare the report for the analyzer but while

What means when violations report a lack source-file?

I reading all specifications of csp2 / csp3 but I not found the reason

$tab_filter in csp-parser-enhanced.php contains a couple of entry that will never be triggered in foreach loop:

• 'chromenull://': 'filter_on' => 'source_file' is overwritten by 'chromenull://' 'filter_on' => 'blocked_uri'
• 'safari-extension://' 'filter_on' => 'blocked_uri' is overwritten by 'safari-extension://' 'filter_on' => 'source_file'

A new one, on which i haven't found any details yet : the "properties" blocked URI.
It is linked only with the "connect-src" directive, and applies on legit site URLs (standard pages of the website the CSP apply to).

It's this: https://chrome.google.com/webstore/detail/skype/lifbcibllhkdhoafpjfnlhfpfgnpldfl

Trying to find an email address to tell them their extension is broken.

• https://github.com/nico3333fr/CSP-useful/blob/master/csp-wtf/not-explained.md#blocked-uri-inline
• https://github.com/nico3333fr/CSP-useful/blob/master/csp-wtf/not-explained.md#onclick-attribute-on-menuitem-element

This happens if you don't allow inline scripts--that is, <script> with no src attribute, but rather embedded JavaScript. Inline JavaScript has to be explicitly allowed via 'inline'.

Note that some analytics tools and other libraries may inject their own inline <script> tags.

Hi,

not-explained/chrome.tab
is similar to
explained/window.klTabId_kis

{
    "csp-report": {
        "document-uri": "https://www.example.org/...",
        "referrer": "",
        "violated-directive": "img-src 'self'",
        "original-policy": "default-src 'self';",
        "blocked-uri": "https://www.example.org"
    }
}

UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534+ (KHTML, like Gecko) BingPreview/1.0b

Where "example.org" is replaced by the live domain.
I guess it is something about Big Preview but I have no idea wtf is happening there. As 'self' is allowed so the domain the rule run on should be allowed.

Google Analytics can use three methods to send data. The criteria by which it determines which is the optimal default is unclear.

• image requires a img-src directive
• xhr requires a connect-src directive
• beacon requires a connect-src directive

2 liens en plus pour la liste ;)

https://twitter.com/Scott_Helme/status/961612668992966656
https://scotthelme.co.uk/protect-site-from-cryptojacking-csp-sri/

https://github.com/nico3333fr/CSP-useful/blob/master/csp-wtf/not-explained.md#httpucgrepass

This is most likely a result of content injected by UC Browser. It's a popular browser in China and a few other countries in the region. It seems to have a habit of siphoning data from web pages that its users visit, as well as injecting analytics and possibly ads. This particular report may actually be from an extension designed for UC Browser.

https://github.com/nico3333fr/CSP-useful/blob/master/csp-wtf/not-explained.md#windowloop11extterritory--true

This is somehow related to "Loop11 User Testing"

• http://www.loop11.com/
• https://chrome.google.com/webstore/detail/loop11-user-testing/bhopfldlicecjkdoidhjfkhbndcjfomf?hl=en-US

• https://github.com/nico3333fr/CSP-useful/blob/master/csp-wtf/not-explained.md#d19mml8yptdetbcloudfrontnet

This is adware/spyware/malware. Keep it blocked.

Hey guys. Not sure if you wanted reports as issues (sorry if not!), but I believe I may have found the source of the unknown 'wrcx' report:

https://github.com/vikeshkhanna/pointers/blob/master/youtube_files/iframe.htm

It's a Chrome extension 'to add seek markers / pointers to the YouTube timeline. You can add as many pointers you wish, drag them on the timeline, delete them and seek to that point in the video by clicking the marker. Extension uses content scripts, jquery and jquery-ui. ' - see https://github.com/vikeshkhanna/pointers

• https://github.com/nico3333fr/CSP-useful/blob/master/csp-wtf/not-explained.md#var-secret

eval() is considered unsafe and needs to be explicitly allowed with script-src 'eval', otherwise it will be blocked. Numerous frameworks and analytics libraries make use of eval().

Hello there,

I use HTML5 video element on my website and a strict Content-Security-Policy directive (default-src 'self'). I get this error message in Google Chrome console when I load for the first time a page with video element:

[Report Only] Refused to load the image '' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.

[Report Only] Refused to load the image 'data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPCEtLSBHZW5lcmF0b3I6IEFkb2JlIElsbHVzdHJhdG9yIDE5LjIuMSwgU1ZHIEV4cG9ydCBQbHVnLUluIC4gU1ZHIFZlcnNpb246IDYuMDAgQnVpbGQgMCkgIC0tPgo8c3ZnIHZlcnNpb249IjEuMSIgaWQ9IkxheWVyXzEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiIHg9IjBweCIgeT0iMHB4IgoJIHZpZXdCb3g9IjAgMCAxOTYgMTk2IiBzdHlsZT0iZW5hYmxlLWJhY2tncm91bmQ6bmV3IDAgMCAxOTYgMTk2OyIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+CjxwYXRoIGNsYXNzPSJzdDAiIGQ9Ik05OCw0OXY0Yy0yNC45LDAtNDUsMjAuMS00NSw0NQoJYzAsMTgsMTAuNiwzMy42LDI1LjksNDAuOGwtMS43LDMuNmMwLjEsMCwwLjIsMC4xLDAuMywwLjFjLTAuMSwwLTAuMi0wLjEtMC4zLTAuMWwwLDBDNjAuNSwxMzQuNSw0OSwxMTcuNiw0OSw5OAoJQzQ5LDcwLjksNzAuOSw0OSw5OCw0OXoiLz4KPC9zdmc+Cg==' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.

There is a total of 9 data:image violating CSP directive. These data:image are used for the controls of video element. If they are blocked it is impossible to use the video element.

I am aware of the possibility to use "img-src 'self' data:;" directive, but I would like to avoid this solution as it reduce the protection I could get from strict CSP directives.

I notice that HTML5 video element does not violate CSP directive when I use Edge or Firefox.

Is it possible to fix this issue ? Thank you.

• https://github.com/nico3333fr/CSP-useful/blob/master/csp-wtf/not-explained.md#chrome-extension
• https://github.com/nico3333fr/CSP-useful/blob/master/csp-wtf/not-explained.md#chrome-extension-1
• https://github.com/nico3333fr/CSP-useful/blob/master/csp-wtf/not-explained.md#moz-extension
• https://github.com/nico3333fr/CSP-useful/blob/master/csp-wtf/not-explained.md#aboutblank

chrome-extension: will appear in reports when a Chrome extension attempts to inject a script, iframe, or other content into a page that doesn't explicitly allow the chrome-extension: scheme. If users are complaining that their extensions aren't working on your site, this is why. Oftentimes they're injecting questionable content (e.g., ads or analytics), in which case you may want to deliberately omit this.

moz-extension is the same thing, but for Firefox.

Depending on how the extension works and what browser is being used, about:blank or other about: URLs may appear instead of an extension scheme.

http://www.cspplayground.com/home
This link is added in the Resources section and is possibly redirecting to some website related to Counter-Strike Playground

https://github.com/nico3333fr/CSP-useful/blob/master/csp-wtf/not-explained.md#chromekango

Kango seems to be a firefox extension framework.
It can be from an extension using this framework.

http://kangoextensions.com/kango.html

The code base is still using Function('return this');

The latest version for ES6 is fine:
https://unpkg.com/[email protected]/build/pdf.js

However it is still there for ES5 build:
https://unpkg.com/[email protected]/es5/build/pdf.js

I do not want to allow script-src 'eval' in my CSP provider.

Is there any plan to fix ES5 build?

Hi,

It looks like the cip-genpw-icon is coming from a browser extension called ChromeIPass and/or its Firefox counterpart PassIFox.