Browser Reporting Demos — Supported by

Content Security Policy with report-to

Sending Content Security Policy (CSP) violation reports with Reporting API using the Reporting-Endpoints header, asynchronously and out-of-band, when the browser feels like.

CSP is a policy that lets the authors (or server administrators) of a web application inform the browser about the sources from which the application expects to load resources like images, scripts, styles, or even where to submit forms. Content Security Policy is not intended as a first line of defense against content injection vulnerabilities like Cross-Site Scripting (XSS). Instead, CSP is best used as defense-in-depth, to reduce the harm caused by content injection attacks. The report-to directive using the Reporting API replaces the deprecated report-uri directive in Content Security Policy level 3 spec, which is not yet fully supported by all major clients. To support more browsers, apps usually send both report-uri and report-to in their CSP headers.

The CSP response header:

Content-Security-Policy: default-src 'none'; img-src 'self' https://www.michalspacek.cz; script-src 'nonce-uYkDK76OEPJVkXgxG9X157jG' 'self' 'report-sample'; style-src 'self' 'nonce-uYkDK76OEPJVkXgxG9X157jG'; report-to default

• default-src: what's allowed by default, includes images, fonts, JavaScript and more
• img-src: where to load images from, overrides default-src for images
  • 'self' means current URL's origin (scheme + host + port)
• script-src: what JavaScript is allowed to be executed
  • 'nonce-uYkDK76OEPJVkXgxG9X157jG' means script elements with nonce="uYkDK76OEPJVkXgxG9X157jG" attribute
  • 'report-sample' instructs the browser to include the first 40 characters of the blocked JavaScript in the report
• style-src: allowed CSS sources
• report-to: name of the endpoint where to send violation reports, as defined in the Reporting-Endpoints header

The Reporting-Endpoints response header:

Reporting-Endpoints: default="https://cancer.has.report/report"

• default: the name of the endpoint, the same as in the CSP header in the report-to directive
• "url": where to send reports, must be https://, otherwise the endpoint will be ignored
• You may provide multiple name="url" endpoints separated by comma (,)
  • For example: Reporting-Endpoints: csp-reporting="https://example.com/csp", nel-reporting="https://example.com/nel"

Try it with images

Click to load another image from https://www.michalspacek.cz (allowed)

show the code ▼

Now simulate an attacker:
Click to load an image from https://example.com

show the code ▼

• Blocked
• Will trigger a report that will be sent asynchronously (violation visible in Developer Tools in the Console tab, you won't see the report in Network tab but you can still view the reporting requests)
• Check your reports (can take some time before the browser sends the report)

… and with JavaScript

Click to alert('hi') (allowed, the script tag contains nonce="uYkDK76OEPJVkXgxG9X157jG")

show the code ▼

Simulate an attacker:
Click to inject blocked JS tag

show the code ▼

• Blocked because the injected JS tag created by document.createElement() doesn't have a nonce
• Will trigger a report that will be sent asynchronously (violation visible in Developer Tools in the Console tab, you won't see the report in Network tab but you can still view the reporting requests)
• Check your reports (can take some time before the browser sends the report)
• See the inserted JS tag in Developer tools, right after <button id="inject">

There's more CSP demos to try, where you can load any resources by URL and even submit forms.

Related specs & documents

• Content Security Policy Level 3 Working Draft
  • Content Security Policy Level 2
  • Content Security Policy 1.0 (discontinued)
• Reporting API Working Draft
  • Reporting API Editor's Draft (which will evolve into a Working Draft, followed by a Recommendation eventually)

By Michal Špaček, @spazef0rze, supported by – real time security monitoring and error tracking