3

I recently enforced a content security policy on my web-app. I used CSP3 with the 'strict-dynamic' source expression. I've been analysing reports and bulk of violations are attributed to "source-file": "about" and "blocked-uri":"inline". The field "document-uri" has URLs from my app.

I wanted to check if this "source-file":"about" is something that others in the web-security world understand. I am inclined to believe that this is noise but I want to be sure.

Mayur Arora
  • 447
  • 5
  • 11
  • 1
    https://stackoverflow.com/questions/32336860/why-would-i-get-a-csp-violation-for-the-blocked-uri-about – Ry- May 20 '22 at 16:31
  • Thanks @Ry. This sounds similar but in my case I see 'source-file' attributed to "about". Also, "script-sample" shows code of the first inline script on my web-page. I think I should try installing one of these extensions mentioned in the other question. – Mayur Arora May 20 '22 at 16:39
  • You can safely ignore such warnings - they almost always come from browser extensions. – IVO GELOV May 20 '22 at 18:36
  • I am inclined to, but I’ve been wanting to reproduce one such violation. I am looking for an extension that is blocked by CSP and produces a report with source-file set to ‘about’. – Mayur Arora May 22 '22 at 13:41

0 Answers0