0

I am integrating with a third party library (Chargebee) and I am receiving Content Security Violation errors.

As far as I can tell, I don't have CSP defined in my web page as it doesn't return a CSP response header:

enter image description here

Although, when trying to utilise this library I'm getting errors along the lines of:

enter image description here enter image description here

Questions

  1. I'm using other third party JS libraries, why am I not getting this error for any others? I've never had to specify a CSP for any previously.

  2. If I do actually define a CSP, I'm then blocking the other third party libraries. Can I allow Chargebee without then blocking others (and without having to include them all in the CSP)?

It doesn't make sense. It suggests that I don't have a CSP defined seeing as it's not returned in my headers and I can use third party resources, I have even verified this using the Chrome CSP evaluator extension. And yet, the error messages show that I do have a CSP policy defined.

Am I missing something?

Brummy
  • 183
  • 1
  • 11
  • 2
    You have a Chargebee iframe embedded into page. Violations you observed belongs to Chargebee iframe, it publishes its own CSP header. You have nothing to do with that, but since a browser has only one console for main page and all iframes, you can see third-party iframes errors too. – granty Jul 03 '21 at 15:43
  • Ah, does that mean it's an error on their part? I.e. I should contact them? I've followed their guide so I'm using it how I'm supposed to. – Brummy Jul 03 '21 at 17:05
  • 1
    Yes, this violation occurs in Chargebee iframe. You do not need to contact them, they know this "error" about, because this CSP is in Report-Only mode (monitoring) with reporting endpoint specified. They get all CSP violation reports. – granty Jul 04 '21 at 08:07
  • highly doubt they check CSP violations... – waltmagic Nov 05 '22 at 22:58
  • @granty do you know how these errors are viewed by companies doing penetration tests? – pieguy Mar 23 '23 at 14:55

1 Answers1

-1

If I do actually define a CSP, I'm then blocking the other third party libraries. Can I allow Chargebee without then blocking others (and without having to include them all in the CSP)?

No - CSP is an allowlist protocol. If you define a CSP, you need to map out all the various needed resources - at least for the directives that you are using (for example you can confine your CSP to only script-src and object-src, and ignore others).

Since you cannot control or predict which directives are needed for Chargebee CSP, it's best to use predetermined CSP packages, and a CSP generator.

Shai Alon
  • 18
  • 6