Why is a domain specified in a CSP default-src being reported as a script-src-elem violation?
I have a Content-Security-Policy-Report-Only: header of:
default-src 'report-sample' 'self' *.googleapis.com; object-src 'none'; report-uri https://example.com/csp_logger;
but violations are being reported to my csp_logger endpoint, specifically:
blocked-uri: https://ajax.googleapis.com/ajax/libs/webfont/1.6.26/webfont.js
violated-directive: script-src-elem
Why is this? The document URI serving the html that references https://ajax.googleapis.com is also https, so the protocols match. I would expect the default-src value of *.googleapis.com to have covered this case.
Does default-src not provide a fallback for script-src-elem?
EDIT: Ah, I see that https://stackoverflow.com/questions/64322419/why-is-script-src-elem-not-using-values-from-script-src-as-a-fallback has the same issue, and more detail, but no satisfactory answer.
EDIT2: I've installed the PrivacyBadger Chrome extension to try and see if I can replicate the results from the top voted answer to the question I referenced
These are useful resources too:
- https://csper.io/blog/csp-report-filtering
- CSP-wtf
- https://oreoshake.github.io/csp/twitter/2014/07/25/twitters-csp-report-collector-design.html
- https://dropbox.tech/security/on-csp-reporting-and-filtering
- https://github.com/getsentry/sentry/blob/master/src/sentry/interfaces/security.py#L13
- https://github.com/jacobbednarz/go-csp-collector/blob/master/internal/utils/blocked_uris.go
