问题
My CSP report URI has received the following CSP violation:
{
"csp-report":{
"document-uri":"https://example.com/blog/somepage",
"referrer":"",
"violated-directive":"img-src 'self' data: p.typekit.net pbs.twimg.com platform.twitter.com q.stripe.com syndication.twitter.com",
"effective-directive":"img-src",
"original-policy": veryLongPolicyGoesHere,
"blocked-uri":"about",
"status-code":0
}
}
Why would I get a CSP violation for the blocked-uri 'about'?
Is this the inbuilt about: URL from web browsers? I can't replicate the problem when I try.
回答1:
I worked with the user to discover it is indeed the Disconnect extension that is causing this. I contacted the people making the extension, and they confirmed they block URIs by replacing them with about:blank; this is what is causing the CSP violations.
Until Disconnect fixes their blocking scheme, I think the best approach is to simply ignore the CSP violation reports when blocked-uri is about.
回答2:
I think I may have found a temporary workaround (until whatever causes about:blankon the page is fixed): adding about: to the directives that are violated. I tried adding it to the default-src, but I still received a violation report. I added it to img-src and script-src, and the violations did not show up.
来源:https://stackoverflow.com/questions/32336860/why-would-i-get-a-csp-violation-for-the-blocked-uri-about