Need better tools for filtering CSP reports

[mlissner]

Problem Statement

I run a site that gets a lot of traffic. Recently, we started sending CSP reports to Sentry, but we had to disable it after a couple weeks because we were getting SO many false positives.

Ideally, we'd like to keep CSP reporting turned on so that we can fix our own issues as they arise, but we couldn't live with it as it was, because it's so noisy.

Solution Brainstorm

A couple things could help:

1. A lot of these reports are coming from extensions. The source literally says moz-extension or something like that. Let's have an option not to see these.

2. A lot of these reports come from connections to pretty random, junky websites. How about we don't show those errors either, via another option?

3. That'd leave a bunch of websites that are designed to be hotlinked, like jsdeliver.net, and translate.google.com. Those are annoying. I'm not sure how much we can do about them. Maybe just automatically group them by domain name? Google, for example, has a dozen or so domains.

Product Area

Other

[getsantry[bot]]

Assigning to @getsentry/support for routing ⏲️

[getsantry[bot]]

Routing to @getsentry/product-owners-issues for triage ⏲️

[getsantry[bot]]

Routing to @getsentry/product-owners-settings-security-privacy for triage ⏲️

[hubertdeng123]

@barkbarkimashark If you are backlogging an item, could you remove the Waiting for: Product Owner label next time? It helps us know that the issue has been addressed. Thanks! 🙏

[lucas-paulger-sonarsource]

I've encountered the same issue here when trying to collect CSP-related information through Sentry, I quickly ate up my quota. Because I was unaware of how many violations, it was very hard to get the CSP configured correctly and because of this the best solution I found was to disable sentry reporting for the time being.

It would be wonderful to have a grace period to fine-tune the CSP policy. Also to filter out the noise as mentioned above for errors we indeed do not care about.

[pfeiffer]

We're encountering this as well and had to disable CSP reporting as it exceeded our quota in less than a day, leaving us with a completely unusable Sentry account for the remainder of the quota period 😭

[Xavier59]

We have a similar problem. Namely, there are some resources that get blocked (mostly analytics image or script) that are used by external scripts we load. We would like to keep blocking these scripts however they generate reports which then eat up our Sentry quota. At the Sentry level, I don't see a way to reject these reports.

Then there are also as mentionned by the other people in this threads google translate, kaspersky, browser extensions etc that inject into the page and eat up the quota too.

[andreas-venturini]

A lot of these reports are coming from extensions. The source literally says moz-extension or something like that. Let's have an option not to see these.

You can filter those out by using the "Additional ignored sources" option in the CSP settings of the relevant project. For example, to exclude CSP violations caused by browser extensions, you can add the following entries:

chrome-extension
moz-extension

This works since the filter checks matches against blocked_uri, source_file and document_uri.

That'd leave a bunch of websites that are designed to be hotlinked, like jsdeliver.net, and translate.google.com. Those are annoying. I'm not sure how much we can do about them. Maybe just automatically group them by domain name? Google, for example, has a dozen or so domains.

It supports wildcards, so based on the example above, you can filter those out as well. For instance, to exclude Google Translate, we use the following configuration:

https://translate.google.com/*
https://translate.googleapis.com/*

[getsantry[bot]]

Routing to @getsentry/product-owners-issues for triage ⏲️