12Ağu
CSP Violation ms-appx-web://
We have a java application which allows users to upload attachments and save it on the server. The application has a content security policy defined like this:
base-uri 'self'; child-src 'self'; form-action 'self'; frame-ancestors 'self'; connect-src 'self'; font-src 'self' https://fonts.gstatic.com; frame-src 'self'; img-src 'self' http://www.google-analytics.com https://www.google-analytics.com https://ssl.google-analytics.com data:; media-src 'self'; object-src 'self'; script-src 'unsafe-inline' 'unsafe-eval' 'self' http://www.google-analytics.com https://ssl.google-analytics.com; style-src 'unsafe-inline' 'unsafe-eval' 'self'; default-src ASTERISK;
Recently we got a CSP violation which is -
<CR>csp-report:<CR> Referrer: <CR> Blocked Content Source: ms-appx-web://<CR> Violated Directive: font-src 'self' https://fonts.gstatic.com<CR> Effective Directive: font-src<CR> Status Code: 200<CR>
Can someone help me understand what is ms-appx-web and why did it come out to be the blocked content? Why does the CSP say that font-src is violated?
I have the below understanding -
Allowed fonts are the ones which are inside the application- "SELF" and from "https://fonts-gstatic.com" .. for some reason the user tried to attach a pdf document having a font not supported by application/google fonts. That font may be defined in windows i.e. ms-appx-web://
Is the above correct?
