Content Security Policy (CSP) report-uri

report-uri is the feedback mechanism for content-security-policy. When a browser detects a violation in the content-security-policy the browser will send a JSON payload to the endpoint(s) outlined in the report-uri field of the content-security-policy.

Here's an example content-security-policy that includes report-uri:

So if my website had the above policy, the browser would fire any violation report-uris to demo.endpoint.csper.io.

This is an example report-uri payload:

{
  "csp-report": {
    "document-uri": "https://csper.io/mydemovulnerablepage",
    "referrer": "",
    "violated-directive": "script-src-attr",
    "effective-directive": "script-src-attr",
    "original-policy": "default-src 'self'; script-src 'report-sample' 'self' https://www.google-analytics.com/analytics.js https://www.googletagmanager.com/gtag/js; style-src 'report-sample' 'self'; report-uri https://demo.endpoint.csper.io;",
    "disposition": "enforced",
    "blocked-uri": "inline",
    "line-number": 1,
    "source-file": "https://csper.io/p/mydemovulnerablepage",
    "status-code": 0,
    "script-sample": "alert(1)"
  }
}

We can learn a lot of good information for the reports.

  • The effective-directive is script-src-attr, meaning that javascript was included on the page (on an html attribute, such as onerror or onclick)
  • The alert was fired from document-uri (csper.io) and was caused by source-file (sometimes these don't match up if something else is causing another page to violate CSP. Such as a script injecting CSS)
  • We have original-policy which is just nice for continuity or if running multiple policies
  • disposition with enforced means that the inline script was blocked (instead of only being reported on)
  • script-sample shows us that the blocked payload was alert(1). Uh oh! Someone was trying to perform an XSS!

There are services that collect these reports and perform aggregation, classification and analysis. Csper is one of these services.

Looking for tools to make CSP easier?

Csper has the tools to help you understand, deploy and manage your content security policy. Get started in minutes. Report aggregations, classification, analysis, alerting, realtime and more. Free 14 day trial.