I am implementing Content security policy
to my website headers. I currently have it on report-only
setting for testing. My server is Apache 2.4.7
.
After setting up some policies I keep seeing reports like this:
"csp-report": {
"document-uri": "http://www.example.com/page.html",
"referrer": "",
"violated-directive": "script-src 'self' http://www.google-analytics.com",
"effective-directive": "script-src",
"original-policy": "default-src 'self'; img-src *; report-uri https://example.com/report",
"blocked-uri": "about",
"status-code": 200
}
I don't know how to troubleshoot these reports. Page.html
is contains static html and Google analytics script
. What exactly is the uri about
that is being blocked?
I have read Content security policy documentation but could not find anything that would explain this.
I cannot reproduce the error by accessing the same url with same browser type.
Best Answer
After futher searching I was able to find this Stack Overflow post about the same problem: https://stackoverflow.com/questions/32336860/why-would-i-get-a-csp-violation-for-the-blocked-uri-about
It turns out that this can be caused by browser addon that blocks urls by replacing them with
about:blank
.