1. 技术文章
  2. Content Security Policy is Blocking URI in Allowed Domain

Content Security Policy is Blocking URI in Allowed Domain

删除回忆录丶 提交于 2021-02-08 03:43:15

问题


I have the following content security policy set in my .htaccess file:

default-src 'none'; \
        form-action 'self'; \
        frame-ancestors 'none'; \
        font-src 'self' data: fonts.gstatic.com *.fontawesome.com; \
        img-src 'self' data: www.google-analytics.com www.facebook.com; \
        script-src 'self' 'unsafe-inline' www.google-analytics.com ssl.google-analytics.com www.google.com www.gstatic.com ajax.cloudflare.com www.googletagmanager.com connect.facebook.net *.fontawesome.com; \
        style-src 'self' 'unsafe-inline' fonts.googleapis.com *.fontawesome.com; \
        connect-src 'self' www.google-analytics.com *.fontawesome.com; \
        frame-src www.google.com; \
        base-uri 'none'; \
        report-uri /csp-report.php

When I visit the site, I don't get any CSP messages in the developer tools console. However, I am getting reports via my report-uri like this:

blocked-uri: https://www.google-analytics.com/analytics.js
document-uri: https://URL.com/
original-policy: default-src 'none'; form-action 'self'; frame-ancestors 'none'; font-src 'self' data: https://fonts.gstatic.com https://*.fontawesome.com; img-src 'self' data: https://www.google-analytics.com https://www.facebook.com; script-src 'self' 'unsafe-inline' https://www.google-analytics.com https://ssl.google-analytics.com https://www.google.com https://www.gstatic.com https://ajax.cloudflare.com https://www.googletagmanager.com https://connect.facebook.net https://*.fontawesome.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://*.fontawesome.com; connect-src 'self' https://www.google-analytics.com https://*.fontawesome.com; frame-src https://www.google.com; base-uri 'none'; report-uri https://URL.com/csp-report.php
referrer:
violated-directive: script-src

It is always the same URI, https://www.google-analytics.com/analytics.js that is being blocked, and I can't figure out why. Is this due to something on the user's end blocking Google Analytics?


回答1:


I had the same issue. I was able to trace this down to browser extensions based on this SO answer.

TL;DR; is that browser extensions load up google analytics and they get blocked by CSP but it shows as if it originated out of your site.



来源:https://stackoverflow.com/questions/62638524/content-security-policy-is-blocking-uri-in-allowed-domain

标签
content-security-policy
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!