CSP violation reports for web workers displays incorrect effective-directive value (worker-uri) when worker-src is not in the original policy
Issue #14150689 • Assigned to Steven K.
Steps to reproduce
In https://github.com/twitter/secureheaders/issues/358, we stumbled upon this behavior where the violation report contains worker-uri
as a reference to a directive rather than worker-src
.
In this case, worker-src
was not supplied but was the effective-directive
. I have not tested to see if this is the case when worker-src
is supplied or if the incorrect reference exists in other places.
I’m just going to assume that edge respects the value of the worker-src
directive and does not require one to use worker-uri
to match the error. I haven’t tested this either.
I filed this under developer tools because this isn’t a security issue and the only time I look at reports is in developer tools :)
{
"csp-report": {
"document-uri": "https://www.talegraph.com/tales/xxx",
"blocked-uri": "blob",
"violated-directive": "default-src 'self'",
"original-policy": "default-src 'self'; connect-src 'self' wss://www.talegraph.com sentry.io api.segment.io api.mixpanel.com wss://*.crisp.chat storage.googleapis.com; font-src 'self' data: fonts.gstatic.com client.crisp.chat; frame-src 'self' blob:; img-src 'self' www.google-analytics.com client.crisp.chat image.crisp.chat data: blob: pi.prod.talegraph.net; media-src 'self' client.crisp.chat; object-src 'none'; script-src 'self' www.google-analytics.com cdn.segment.com cdn.mxpnl.com client.crisp.chat; style-src 'self' 'unsafe-inline' fonts.googleapis.com client.crisp.chat; report-uri https://talegraph.report-uri.io/r/default/csp/enforce",
"effective-directive": "worker-uri", <-- confusion
"status-code": 200
}
}
You need to sign in to your Microsoft account to add a comment.
Sign in