Chrome is reporting Content Security Policy violations to the report-uri, but it reports no violation details. It reports {} instead of providing details regarding the violated policy. All other browsers seem to be reporting violation details fine. My policy is provided below.
I've tried...
- putting the full absolute path in the
report-uridirective. - taking the policy out of
Report-Onlymode - making the policy much simpler e.g.
default-src 'none' ; report-uri /api/csp-report; - turning off all my extensions (although I am seeing this in a production site from win & osx visitors with chrome)
- testing in Canary
- "Reported an issue" in chrome (I'm guessing it hasn't even been triaged yet)
Questions I haven't found an answer for yet
- Is this implemented in Chrome yet?
- Does the implementation differ from the spec?
The Policy (Delivered via HTTP Header)
Content-Security-Policy-Report-Only: default-src 'none' ; script-src 'self' 'unsafe-eval' https://www.google-analytics.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' https://www.google-analytics.com ; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://api.servicesite.com; frame-src 'none' ; child-src 'none' ; frame-ancestors 'none' ; form-action 'self' ; upgrade-insecure-requests; block-all-mixed-content; reflected-xss block; base-uri https://*.mysite.com; referrer origin-when-cross-origin; report-uri /api/csp-report;
Update... Mar-16-2016
- Chrome is sending the report. I see the request body in network tab. Also logging it in intermediary nginx proxy.
That leads me to think this is a parsing issue in my receiving code (node, express using body-parser). However, still confounded as to why this would only happen for Chrome CSP reports. All other browser's reports pass though just fine.
