CSP report blocked-uri field is empty

Issue #16360429 • Assigned to edgedevtoolstri


Scott H.
Mar 13, 2018
This issue is public.
Found in
  • Microsoft Edge
Reported by 3 people

Sign in to watch or report this issue.

Steps to reproduce

When a CSP violation occurs on a page the browser will dispatch a CSP report. If the report was caused by inline script or style, or an eval() call, the blocked-uri [1] field is empty in reports from Edge.

It would be very helpful for site operators to know what caused the violation as it will help them debug issues. Could Edge use the ‘inline’ and ‘eval’ values inside the blocked-uri field when reporting so that site operators know the root cause?

blocked-uri inline
blocked-uri eval

The effective-directive and/or violated-directive field will already indicate whether the cause was script or style related. Most other browsers already take this approach and it would make CSP reports a lot more useful! We’re processing ~8 billion CSP reports per month at Report URI [2] and this is a common feature request / complaint about reports affecting a large number of sites.

[1] https://www.w3.org/TR/CSP2/#violation-report-blocked-uri
[2] https://report-uri.com


0 attachments

    Comments and activity

    • Microsoft Edge Team

      Changed Assigned To to “Steven K.”

      Changed Assigned To to “edgedevtoolstri”

    You need to sign in to your Microsoft account to add a comment.

    Sign in