Ignore specific CSP error when using sentry

Question

I am using hash-based script-src CSP(v2), together with Sentry's report-uri in my site.

Recently I am getting lots of CSP violation report, specifically from latest version of Firefox (version 66 as of writing), creating lots of noise.

Recently Blocked 'script' from 'inline:'

Testing with a firefox installation on my own computer, I found out that many addons actually inject inline script into DOM, thus triggering CSP error.

It is possible to ignore/mitigate this problem via CSP rule, or can I ignore all these firefox entries somehow via sdk or dashboard settings?

score 2 · Answer 1 · answered Jun 12 '19 at 14:19

I received an answer from Sentry customer service:

"You can ignore these by going into your project's settings, then Security Headers > CSP Instructions > 'Additional ignored sources', and paste in the blocked_uri value from the Event's CSP Report."

In this case the blocked_uri value would be inline. Note that it will ignore all inline report, not just from firefox, but this is good enough for my problem.

Stephen R · Answer 2 · 2019-05-30T16:44:42.630

0

You can allow 'unsafe-inline' as a source, although doing so significantly weakens the security offered by CSP. (If you need to use unsafe-inline, I believe you have to NOT use the hash, as the hash supersedes the 'inline' directive.)

edited May 30 '19 at 16:44

answered May 30 '19 at 16:38

Stephen R

3,512
1
28
45

Ignore specific CSP error when using sentry

2 Answers2