Content Security Policy with `report-uri`

Sending Content Security Policy (CSP) violation reports.

CSP is a policy that lets the authors (or server administrators) of a web application inform the browser about the sources from which the application expects to load resources like images, scripts, styles, or even where to submit forms. Content Security Policy is not intended as a first line of defense against content injection vulnerabilities like Cross-Site Scripting (XSS). Instead, CSP is best used as defense-in-depth, to reduce the harm caused by content injection attacks. Using report-uri directive is specific to CSP and is not part of the Reporting API specification, and is actually deprecated and replaced by report-to directive and Reporting API in Content Security Policy level 3 spec, which is not yet fully supported by all major clients. To support more browsers, apps usually send both report-uri and report-to in their CSP headers.

The CSP response header:

Content-Security-Policy: default-src 'none'; img-src 'self' https://www.michalspacek.cz; script-src 'nonce-0oxZPV1g5wSSJMznBsEiT0Pu' 'self' 'report-sample'; style-src 'self' 'nonce-0oxZPV1g5wSSJMznBsEiT0Pu'; report-uri https://boyce.has.report/report

default-src: what's allowed by default, includes images, fonts, JavaScript and more
img-src: where to load images from, overrides default-src for images
- 'self' means current URL's origin (scheme + host + port)
script-src: what JavaScript is allowed to be executed
- 'nonce-0oxZPV1g5wSSJMznBsEiT0Pu' means script elements with nonce="0oxZPV1g5wSSJMznBsEiT0Pu" attribute
- 'report-sample' instructs the browser to include the first 40 characters of the blocked JavaScript in the report
style-src: allowed CSS sources
report-uri: where to send violation reports to

Try it with images

another image from https://www.michalspacek.cz (allowed)

show the code ▼

<script nonce="0oxZPV1g5wSSJMznBsEiT0Pu">
  document.getElementById('allowed').onclick = function(e) {
    document.getElementById('image').src = 'https://www.michalspacek.cz/i/images/photos/michalspacek-webtop100-400x268.jpg';
  }
</script>

Now simulate an attacker:
an image from https://example.com

show the code ▼

<script nonce="0oxZPV1g5wSSJMznBsEiT0Pu">
  document.getElementById('blocked').onclick = function(e) {
    document.getElementById('image').src = 'https://example.com/image.png';
  }
</script>

Blocked
Will trigger a report, check Developer tools (Network and Console tabs)
Check your reports

… and with JavaScript

(allowed, the script tag contains nonce="0oxZPV1g5wSSJMznBsEiT0Pu")

show the code ▼

<script nonce="0oxZPV1g5wSSJMznBsEiT0Pu">
  document.getElementById('js').onclick = function(e) {
    alert('hi');
  };
</script>

Simulate an attacker:
blocked JS tag

show the code ▼

<script nonce="0oxZPV1g5wSSJMznBsEiT0Pu">
  document.getElementById('inject').onclick = function() {
    const script = document.createElement('script');
    script.text = 'console.log("lo")';
    document.getElementById('inject').insertAdjacentElement('afterend', script);
  }
</script>

Blocked because the injected JS tag created by document.createElement() doesn't have a nonce
Will trigger a report, check Developer tools (Network and Console tabs)
Check your reports
See the inserted JS tag in Developer tools, right after <button id="inject">

There's more CSP demos to try, where you can load any resources by URL and even submit forms.

Related specs & documents

Content Security Policy Level 3 Working Draft
- Content Security Policy Level 2
- Content Security Policy 1.0 (discontinued)

Content Security Policy with report-uri

The CSP response header:

Try it with images

… and with JavaScript

Related specs & documents

Content Security Policy with `report-uri`