CSP violation reports for web workers displays incorrect effective-directive value (worker-uri) when worker-src is not in the original policy

Fixed Issue #14150689


neil m.
Oct 9, 2017
This issue is public.
Found in
  • Microsoft Edge
Reported by 1 person

Sign in to watch or report this issue.

Steps to reproduce

In https://github.com/twitter/secureheaders/issues/358, we stumbled upon this behavior where the violation report contains worker-uri as a reference to a directive rather than worker-src.

In this case, worker-src was not supplied but was the effective-directive. I have not tested to see if this is the case when worker-src is supplied or if the incorrect reference exists in other places.

I’m just going to assume that edge respects the value of the worker-src directive and does not require one to use worker-uri to match the error. I haven’t tested this either.

I filed this under developer tools because this isn’t a security issue and the only time I look at reports is in developer tools :)

    "csp-report": {
        "document-uri": "https://www.talegraph.com/tales/xxx",
        "blocked-uri": "blob",
        "violated-directive": "default-src 'self'",
        "original-policy": "default-src 'self'; connect-src 'self' wss://www.talegraph.com sentry.io api.segment.io api.mixpanel.com wss://*.crisp.chat storage.googleapis.com; font-src 'self' data: fonts.gstatic.com client.crisp.chat; frame-src 'self' blob:; img-src 'self' www.google-analytics.com client.crisp.chat image.crisp.chat data: blob: pi.prod.talegraph.net; media-src 'self' client.crisp.chat; object-src 'none'; script-src 'self' www.google-analytics.com cdn.segment.com cdn.mxpnl.com client.crisp.chat; style-src 'self' 'unsafe-inline' fonts.googleapis.com client.crisp.chat; report-uri https://talegraph.report-uri.io/r/default/csp/enforce",
        "effective-directive": "worker-uri",  <-- confusion
        "status-code": 200


0 attachments

    Comments and activity

    • Microsoft Edge Team

      Changed Assigned To to “Steven K.”

    • Hi Neil,

      Apologize for the long delay.  I think you are already aware that this has been fixed.  I tested in 17134.112 and did not see the “worker-uri” "effective-directive".  Can you verify that this has indeed been fixed?  I have attached my no repro code (repro.zip) and test output.

      Test Steps:
      // assumes nodejs installed and in path.  choco install nodejs.install -y
      // assumes gitbash installed.  choco install git -y

      • unzip repro.zip
      • Run Express server with helmet-csp

      open gitbash to serverA folder


      npm update

      node index.js

      • Open URL:

      • You will see the CSP report in the nodejs console.
      • You can modify the CSP in index.js and run again to verify the violation reports are not sent if ‘blob:’ is added to the default-src or the worker-src. 

      CSP Violation:  { 'csp-report’:
         { 'document-uri’: '’,
           referrer: '’,
           'blocked-uri’: 'blob’,
           'violated-directive’: 'default-src 'self’’,
            'default-src 'self’; script-src ‘self’ 'unsafe-inline’; style-src ‘self’ 'unsafe-inline’; font-src ‘self’ data:; img-src 'self’; media-src 'self’;
      object-src 'none’; report-uri /report-violation’,
           'effective-directive’: 'worker-src
           'status-code’: 200 } }

    • Microsoft Edge Team

      Changed Status to “Fixed”

    You need to sign in to your Microsoft account to add a comment.

    Sign in