Why is script-src-elem not using values from script-src as a fallback?

by

After seeing this exact same pattern in some of my applications, I finally got to the root of this!

The weirdness we were seeing was that CSP reports were coming in for a hostname which was definitely in the script-src directive; and we know that script-src-elem is supposed to fall back to those directives. From that perspective, it should have been literally impossible for these reports to happen.

Here’s what we found: the users these reports were coming from were using the PrivacyBadger browser extension, which was leading to false positive CSP reports for the hosts (Google) that it blocked. I didn’t dig too far into it, but here’s my theory on how that happens:

  1. The Content Security Policy performs a pre-request check for the JavaScript include on the page (eg. gstatic.com or google-analytics.com). The pre-request check passes, because the hostname is allowed in the policy.
  2. The browser initiates a request for the resource
  3. PrivacyBadger intercepts the request via the browser’s onBeforeRequest API (see PrivacyBadger source and Chrome documentation)
  4. ProvacyBadger returns a surrogate data blob for the asset. It does this to ensure that code which relies on the real javascript (eg. window.ga) won’t break.
  5. The browser then performs a post-request check against the returned base64 blob
  6. The post-request check fails – because the policy does not allow data: for script-src
  7. The browser sends a CSP report for the blocked asset.

This seems like it might be a browser bug – because the report reflects the original asset’s third party hostname; while the blocked content is actually a data: blob that was returned via the intercepted request.

More Related Contents:

  1. What is happening when I have two CSP (Content Security Policies) policies – header & meta?
  2. JSON-LD Schema.org: Multiple video/image page
  3. When to use a Var instead of a function?
  4. Allow All Content Security Policy?
  5. How can I stop the browser back button using JavaScript?
  6. How can I get the scrollbar position with JavaScript?
  7. Disabling Back button on the browser [closed]
  8. How to detect browser’s protocol handlers?
  9. Detecting if a browser is using Private Browsing mode
  10. How to register some URL namespace (myapp://app.start/) for accessing your program by calling a URL in browser in Android OS?
  11. Dynamic require in RequireJS, getting “Module name has not been loaded yet for context” error?
  12. url with multiple forward slashes, does it break anything?
  13. Is there any way in Android to force open a link to open in Chrome?
  14. How to get rendered html (processed by Javascript) in WebBrowser control?
  15. How does cookie based authentication work?
  16. Python/Selenium incognito/private mode
  17. Django cannot find static files. Need a second pair of eyes, I’m going crazy
  18. How to display the string html contents into webbrowser control?
  19. UploadFile with POST values by WebClient
  20. What is the size limit of a Base64 DataURL image?
  21. Getting Internal Server Error while trying to access my site
  22. Sending message to background script
  23. Using the GWT Scheduler
  24. Force IE9 to emulate IE8. Possible?
  25. Breaking JavaScript execution when cookie is set
  26. How to make browser full screen using F11 key event through JavaScript [duplicate]
  27. HTML5 Video autoplay with sound unmuted
  28. how to embed SWT browser in swing jframe
  29. How do I dynamically adjust css stylesheet based on browser width?
  30. How to detect the device orientation using CSS media queries?

Leave a Comment