1

When i use a Content-Security-Policy knowing that it will (and should) block some elements, is there a way to get reports for all violations except these?

I get for example hits from a script that is inserted from some kaspersky product. It's great when the browser blocks this script and i do not need a report, as i can neither fix it, nor i want to change the block. But when some other ressource is accidentally blocked (or there actually IS a security incident) i want the report.

Is there a way to have a blacklist, which just gets blocked and another list of ressources which should be reported when they get blocked?

allo
  • 1,620
  • 2
  • 22
  • 39

1 Answers1

0

You can have multiple Content-Security-Policy headers. Each of them will be inspected independently. So you can use a second Content-Security-Policy header to list the blacklisted resources and not set the report-uri for this header.

In the first Content-Security-Policy, allow the blacklisted URLs, with a report-uri. In the second Content-Security-Policy, use the same policy as header #1 but do not whitelist URLs and do not set report-uri.

Adding a concrete example: You want to whitelist a.com, b.com, and blacklist x.com, y.com. You will use these 2 headers

Content-Security-Policy: default-src: a.com b.com x.com y.com; report-uri /report
Content-Security-Policy: default-src: a.com b.com;

x.com and y.com will be blocked by the second header, but not reported (no report-uri). Anything that is not a.com b.com x.com y.com will be blocked and reported.

Julien
  • 1,038
  • 1
  • 13
  • 24