I have problems with CSP report data (Content-Security-Policy-Report-Only).
In report I only get the root domain https://******.com. But I'm expecting the full path.
Referrer is always empty, but I need to get this data.
For example: <iframe src="https://*******.com/en/login" width="800" height="800" title="Test Frame"></iframe>.
Could someone help me with this?
Header: 'Content-Security-Policy-Report-Only: frame-ancestors 'self'; report-uri https://******.com/api/security-report'
{
"csp-report": {
"document-uri": "https://******.com/",
"referrer": "",
"violated-directive": "frame-ancestors",
"effective-directive": "frame-ancestors",
"original-policy": "frame-ancestors 'self'; report-uri https://******.com/api/security-report",
"disposition": "report",
"blocked-uri": "https://******.com/",
"status-code": 200,
"script-sample": ""
}
}
CodePudding user response:
according to this article :
The spec further states that if the violating URI is from the same origin as the document-uri, the URI fragment can remain. If not, only the URI origin should be reported. Only Firefox did this incorrectly. For Firefox 5.0 - 41.0, it always reported the full URI, including the fragment, for every blocked-uri value. All other browsers that reported a blocked-uri (some older browsers didn’t) correctly reported the URI with and without the fragment in the correct cases.
blocked-uri that you get can be varied based on the origin the violation occurred, browser u are using - your csp version and etc. u can change any of them to test again your requirements.
and about the referrer, u did not have any referrers trigger CSP reports because none the violating resources were caused by a referrer.
- the article will illustrate this too with clear explanation.