7 months ago
Stuart Larsen #article
Recently a few customers reported an issue where they were receiving reports for 'adservice.google.com' but 'adservice.google.com' was part of their CSP policy.
Example violation report:
The first (incorrect) idea was that maybe it was an ablocker replacing the content with either 'data:' or 'blob:'. Since data/blob was not part of the original policy it would be blocked, but the error report still specifies the original URL.
We've seen this adblocker pattern before, and it seems reasonable that this issue is occurring due to an adblocker because it is an ad domain.
But after testing with blob/data, reports were still being received!
At this point, I figured maybe the adblocker was using a different scheme that we needed to determine and add. So I started going through all the adblockers to see which one was tripping the report. But to my surprise, it was being triggered even when I disabled all adblockers!
It turns out I had rabbit holed on the idea of adblockers, when the issue was just a simple http redirect! If I had looked closer at the javascript console I would have seen the issue.
Refused to connect to https://www.googleadservices.com because if violates the following Content Security Policy directive: "connect-src ..."
The URL adservices.google.com
recently started redirecting to www.googleadservices.com
.
It was easy to quickly test a new policy using a very old tool I wrote: https://chromewebstore.google.com/detail/caspr-enforcer/fekcdjkhlbjngkimekikebfegbijjafd
I added www.googleadservices.com to the connect-src and verified that no new reports were being fired.
It's annoying that the original violation report doesn't mention the redirected URL. But the CSP authors are pretty clever, and this is definitely something they would have considered.
And they did:
https://www.w3.org/TR/CSP3/#security-violation-reports:
If violation reports contained the full blocked URL, the violation report might contain sensitive information contained in the redirected URL, such as session identifiers or purported identities. For this reason, the user agent includes only the URL of the original request, not the redirect target.
If you're running into issues with connect-src adservice.google.com, make sure to include the redirected source 'www.googleadservices.com'.
And also as a reminder to myself, I need to make sure to keep an open mind and not jump to conclusions when investigating issues. The issue was simple, I just too quickly jumped to a specific solution set.