CSP report blocked-uri field is empty

Issue #16360429 • Unassigned

Details

Author
Scott H.
Created
Mar 13, 2018
Privacy
This issue is public.
Found in
  • Microsoft Edge
Reports
Reported by 3 people

Sign in to watch or report this issue.

Steps to reproduce

When a CSP violation occurs on a page the browser will dispatch a CSP report. If the report was caused by inline script or style, or an eval() call, the blocked-uri [1] field is empty in reports from Edge.

It would be very helpful for site operators to know what caused the violation as it will help them debug issues. Could Edge use the ‘inline’ and ‘eval’ values inside the blocked-uri field when reporting so that site operators know the root cause?

blocked-uri inline
blocked-uri eval

The effective-directive and/or violated-directive field will already indicate whether the cause was script or style related. Most other browsers already take this approach and it would make CSP reports a lot more useful! We’re processing ~8 billion CSP reports per month at Report URI [2] and this is a common feature request / complaint about reports affecting a large number of sites.

[1] https://www.w3.org/TR/CSP2/#violation-report-blocked-uri
[2] https://report-uri.com

Attachments

0 attachments

    Comments and activity

    Nothing to see here! No one has commented on this issue yet.

    You need to sign in to your Microsoft account to add a comment.

    Sign in