block-all-mixed-content for report-only

w3c / webappsec-csp

WebAppSec Content Security Policy

https://w3c.github.io/webappsec-csp/

Other

209 stars 78 forks source link

block-all-mixed-content for report-only #26

Open ejcx opened 9 years ago

ejcx commented 9 years ago

block-all-mixed-content doesn't actually appear in any CSP spec. It's only referenced in Mixed Content Section 4. "Strict Mixed Content Checking".

It seems like block-all-mixed-content would be the perfect directive to use with report-only, to slurp up information about offending contents, but it isn't currently supported.

Maybe using the word 'block' in report only is not accurate though. A different name like report-all-mixed-content might be best, where it is only valid when using CSP-RO, and must accompany a report-uri.

I imagine a header like this: Content-Security-Policy-Report-Only: report-all-mixed-content; report-uri /report

upgrade-insecure-requests also doesn't work in report-only.

dveditz commented 8 years ago

[block-all-mixed-content is] only referenced in Mixed Content Section 4. "Strict Mixed Content Checking".

This is the future structure of additions to CSP. Individual separate specs may have CSP hooks, which will be registered with IANA.

upgrade-insecure-requests also doesn't work in report-only.

report-only never enforces any directive. Since upgrade-insecure-requests is not defined as reporting anything when it is enforced, it's not clear what would be reported when in report-only mode.

David263 commented 6 years ago

Two years later I am trying

Content-Security-Policy-Report-Only: report-all-mixed-content; report-uri /report

and it doean't work no matter how I tweak it.

Lots of websites that recommend this would seem not to have tried it.

Firefox 56.0.2 (32-bit)

ScottHelme commented 6 years ago

It would be nice for a site operator to see what effect either of these two directives would have if they were included in an enforced policy. When deployed in a report only policy the reports could look something like:

"document-uri": "https://scotthelme.co.uk/",
    "effective-directive": "upgrade-insecure-requests",
    "original-policy": "...; upgrade-insecure-requests; report-uri https://report-uri.com/",
    "blocked-uri": "http://cdnjs.cloudflare.com/"

mikewest commented 6 years ago

Reporting won't actually get you a picture of the block-all-mixed-content directive's impact, because it applies across origins, cascading through frames. We're not going to start reporting out of cross-origin frames for various good reasons, so anything we give you will be incomplete.

You can get everything we would report to you with a report-only policy along the lines of default-src 'unsafe-inline' 'unsafe-eval' https: blob: filesystem: data:. Perhaps that would be enough? That's what we recommend for upgrade-insecure-requests: https://w3c.github.io/webappsec-upgrade-insecure-requests/#reporting-upgrades

mikewest commented 6 years ago

/cc @andypaicu