`safari-web-extension` should be added to filter for `Content-Security-Policy` reports

getsentry / sentry

Developer-first error tracking and performance monitoring

https://sentry.io

Other

38.49k stars 4.11k forks source link

`safari-web-extension` should be added to filter for `Content-Security-Policy` reports #74828

Closed jarrodldavis closed 1 month ago

jarrodldavis commented 1 month ago

Problem Statement

Currently, Safari ignores the spec and sends CSP violation reports even if the violation occurred due to an extension. Sentry already filters out reports when the source file matches the safari-extension:// scheme, but modern Safari extensions now use safari-web-extension://, thus avoiding the filter Sentry has in place.

Solution Brainstorm

DEFAULT_DISALLOWED_SOURCES should be updated to include safari-web-extension://*:

https://github.com/getsentry/sentry/blob/ae533db60c3ffd12461e335d3be2989c98371225/src/sentry/interfaces/security.py#L13-L22

Product Area

Ingestion and Filtering

getsantry[bot] commented 1 month ago

Assigning to @getsentry/support for routing ⏲️

getsantry[bot] commented 1 month ago

Routing to @getsentry/product-owners-ingestion-and-filtering for triage ⏲️

Dav1dde commented 1 month ago

Do you have the event json of one of these issues?

Relay already filters out events for safari-extension and safari-web-extensions. Wonder why it's not caught in Relay already.

Nevertheless, we should still add it to the code you linked, thanks!

jarrodldavis commented 1 month ago

@Dav1dde I don't have a Sentry envelope event payload, since this is an issue with CSP reporting, not regular Sentry error reporting. I think that's why the filtering Relay does isn't applying in this situation. Nevertheless, here is an example CSP report that wasn't filtered:

{
  "csp-report": {
    "effective_directive": "style-src-elem",
    "blocked_uri": "inline",
    "document_uri": "https://jarrodldavis.com/",
    "original_policy": "default-src 'none'; font-src 'self'; img-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-hashes' 'sha256-zlqnbDt84zf1iSefLU/ImC54isoprH/MRiVZGskwexk='; form-action 'none'; connect-src 'self'; worker-src blob:; report-uri /reporting; report-to default",
    "referrer": "",
    "status_code": 200,
    "violated_directive": "",
    "source_file": "safari-web-extension://91AB8BB8-28F5-439A-B21C-D3FE56F3D0B2/script.js",
    "line_number": 3550,
    "column_number": 27,
    "disposition": "report"
  }
}