mikewest
commented
4 months ago Your script-src directive contains 'strict-dynamic', which means that URL-based allowlisting is ignored for backwards compatibility. This is explained to some extent in https://w3c.github.io/webappsec-csp/#strict-dynamic-usage:~:text=host%2Dsource%20and,will%20be%20honored., but it's pretty easy to miss.
That said, script-src-attr controls things like event handlers. The blocked-uri is 'inline', which makes sense in this context: you'll want to specify something like 'unsafe-inline' or use 'unsafe-hashes' to narrow things further.
Blason
Hi Team,
Here is my csp policy
{ "date": "08/Jul/2024:17:45:17 +0530", "csp_report": { "blocked-uri": "inline", "column-number": 4519, "disposition": "report", "document-uri": "https://www.xxx.xxx/", "effective-directive": "script-src-attr", "line-number": 3, "original-policy": "default-src 'self' 'unsafe-inline'; frame-src 'self' https://td.doubleclick.net; manifest-src 'self' https://www.xxx.xxx; style-src 'self' 'unsafe-inline' https://*.googleapis.com 'self' https://fonts.googleapis.com; script-src 'self' 'unsafe-eval' 'unsafe-inline' 'strict-dynamic' https://www.xxx.xxx https://www.google-analytics.com 'sha256-chKR6/W5cKbDvAyQg+E5NqGqVRJMsneBQNnAvDnBAlQ=' 'sha256-4Z6RsPSZvVIZt/SwrbTqoZjubKsnn9KVPwIVnQjyNJw=' 'sha256-Nh7fO9U0UwzFwDrPHSBdcI9YVErvPzpo0q3DDJE0M1w=' 'sha256-uqx66C0m1v7mX6JkNTa/EfRziNpNW6jZJj6b8csfYKg=' 'sha256-kHv8ZHTpjrzvmzY1qFRqhFC4LBuI9INyfyGDGk3VwWw=' 'sha256-uqx66C0m1v7mX6JkNTa/EfRziNpNW6jZJj6b8csfYKg=' 'sha256-kHv8ZHTpjrzvmzY1qFRqhFC4LBuI9INyfyGDGk3VwWw=' 'sha256-3jblAZQyCn0+8azpvTSodai9RYslPAYZed1ijpv0mv0=' 'sha256-VAvG3sHdS5LqTT+5A/aeq/bZGa/Uj04xKxY8KM/w9EE=' 'sha256-C8oQVJ33cKtnkARnmeWp6SDChkU+u7KvsNMFUzkkUzk=' 'sha256-TXAWuIqKdrNpSKYHYZ7bkGoIMlHGjhBceAOn7h5QUQw=' 'sha256-tqlMHUh+wHh08rh4nIZeMbwnBAcss9QVE8OKfdrvodU=' 'sha256-2b5RU9WZsUgm7tNV36A0w17RAyEyqDvuxTzvHVIQ6E0=' 'sha256-NZe6EI6DHYFUR8E7IB0jYeyXL+6P2HQzsVridcWVESE=' 'sha256-9l867tRreZQISfogIvLL3zaCiN6QRvKz2gdcQvnd6PY=' 'sha256-FXSlRA54YYcbC4EqhWvLY4A55v1v4ONi1Rk2lHMJZf8=' 'sha256-8ijKzAGJMbNBQIOqLZ3pM/92KPYjh08Mm/QzYPSJ2e8=' 'sha256-WMOEx/fVLpdP2x5+htiQ6TwHSKlY31r0FFIbtbfIfIM=' https://ajax.googleapis.com; script-src-attr 'self'; style-src-attr 'self' 'unsafe-inline'; script-src-elem 'self' 'sha256-chKR6/W5cKbDvAyQg+E5NqGqVRJMsneBQNnAvDnBAlQ=' 'sha256-3jblAZQyCn0+8azpvTSodai9RYslPAYZed1ijpv0mv0=' 'sha256-VAvG3sHdS5LqTT+5A/aeq/bZGa/Uj04xKxY8KM/w9EE=' 'sha256-4Z6RsPSZvVIZt/SwrbTqoZjubKsnn9KVPwIVnQjyNJw=' 'sha256-Nh7fO9U0UwzFwDrPHSBdcI9YVErvPzpo0q3DDJE0M1w=' 'sha256-uqx66C0m1v7mX6JkNTa/EfRziNpNW6jZJj6b8csfYKg=' 'sha256-kHv8ZHTpjrzvmzY1qFRqhFC4LBuI9INyfyGDGk3VwWw=' 'sha256-uqx66C0m1v7mX6JkNTa/EfRziNpNW6jZJj6b8csfYKg=' 'sha256-kHv8ZHTpjrzvmzY1qFRqhFC4LBuI9INyfyGDGk3VwWw=' https://www.googletagmanager.com http://fonts.googleapis.com https://www.google-analytics.com https://ajax.googleapis.com; style-src-elem 'self' 'unsafe-inline' https://www.xxx.xxx https://gc.kis.v2.scr.kaspersky-labs.comi http://fonts.googleapis.com; media-src 'self' data:; connect-src 'self' https://analytics.google.com https://stats.g.doubleclick.net https://www.google-analytics.com https://www.google.com.sg https://www.google.co.in https://region1.analytics.google.com https://region1.google-analytics.com https://www.google.co.jp https://www.google.co.th https://www.google.nl https://www.google.fr https://www.google.com.ng https://www.google.ae https://www.google.com.hk; font-src 'self' https://www.xxx.xxx http://fonts.gstatic.com http://fonts.gstatic.com data:; img-src 'self' https://www.xxx.xxx https://www.google.co.in https://www.google.com https://www.google-analytics.com https://www.google.co.uk https://www.googletagmanager.com https://www.google.co.jp https://www.google.ru https://www.google.co.th https://www.google.com.om https://analytics.google.com https://stats.g.doubleclick.net https://www.google.co.kr https://www.google.cz https://www.google.nl https://www.google.fr https://www.google.com.sa https://www.google.com.bh data: https://www.google.com.mx https://www.google.com.au https://www.google.com.ng https://www.google.com.sg https://www.google.ae https://www.google.de https://www.google.com.hk; object-src 'none'; base-uri 'self'; upgrade-insecure-requests; report-uri https://csp.isecurenet.in/_csp_nrbbearings", "referrer": "https://www.google.com/", "source-file": "https://ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js", "status-code": 200, "violated-directive": "script-src-attr" } }Even though I specified domain and self my own URL still appears in violations. Any idea why?"08/Jul/2024:17:31:43 +0530","45.85.56.250","https://www.xxx.xxx/index.htm","connect-src", "08/Jul/2024:17:32:47 +0530","45.85.56.250","https://www.xxx.xxx/disclosures.htm","script-src-elem","https://www.xxx.xxx/disclosures.htm" "08/Jul/2024:17:34:07 +0530","149.56.160.178","https://www.xxx.xxx/","img-src", "08/Jul/2024:17:34:07 +0530","149.56.160.178","https://www.xxx.xxx/","img-src", "08/Jul/2024:17:37:26 +0530","122.187.30.254","https://www.xxx.xxx/","img-src", "08/Jul/2024:17:37:26 +0530","122.187.30.254","https://www.xxx.xxx/","frame-src", "08/Jul/2024:17:38:11 +0530","147.161.245.102","https://www.xxx.xxx/","img-src", "08/Jul/2024:17:38:11 +0530","147.161.245.102","https://www.xxx.xxx/","img-src", "08/Jul/2024:17:42:17 +0530","147.161.245.102","https://www.xxx.xxx/productfinder.htm","img-src", "08/Jul/2024:17:45:17 +0530","217.110.65.125","https://www.xxx.xxx/","script-src-attr","https://ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js"