CSP: all "Blocked 'script' from 'eval:'" reports are grouped together

[patrakov]

Environment

self-hosted (https://develop.sentry.dev/self-hosted/)

Version

22.1.0

Steps to Reproduce

1. Get a user who installs the "Adblock" (non-plus) Chrome extension.
2. Get a CSP report from them

The report looks like this:

{
  "csp-report": {
    "effective_directive": "script-src",
    "blocked_uri": "eval",
    "document_uri": "about",
    "original_policy": "...; script-src 'self' 'unsafe-inline' 'report-sample' https://cdn.polyfill.io https://www.google.com https://www.gstatic.com; ...",
    "referrer": "",
    "status_code": 0,
    "violated_directive": "script-src",
    "line_number": 27,
    "column_number": 23,
    "script_sample": "(function injected(eventName, injectedIn",
    "disposition": "enforce"
  }
}

3. Decide that it is useless, try to ignore.
4. Look at the bottom, at the event grouping information, panic because you ignored too much.

Expected Result

Not sure. Maybe something that takes script_sample into account, and warns if the policy doesn't have report-sample?

Additionally, the ability to write a rule that says "all CSP reports with script_sample equal to (function injected(eventName, injectedIn are caused by AdBlock and should be ignored" would be good.

Actual Result

default
  csp
    salt (a static salt) script-src
    URL eval:

...which probably means that all "Blocked 'script' from 'eval:'" reports are grouped together. This particular CSP violation is caused by Adblock (and I have confirmed this with one user), but I would definitely not want this to be grouped together with real almost-successful XSS attempts.

[patrick-laa]

This would all be solvable if it was possible to add a custom issue grouping fingerprint rule where the script_sample was added to the fingerprint. Unfortunately that's not supported at the moment.

[hubertdeng123]

Thanks for bringing this up. I'm going to add this to the Issues backlog

[getsantry[bot]]

Routing to @getsentry/product-owners-issues for triage ⏲️