ძიება მხარდაჭერაში

ნუ გაებმებით თაღლითების მახეში მხარდაჭერის საიტზე. აქ არასდროს მოგთხოვენ სატელეფონო ნომერზე დარეკვას, შეტყობინების გამოგზავნას ან პირადი მონაცემების გაზიარებას. გთხოვთ, გვაცნობოთ რამე საეჭვოს შემჩნევისას „დარღვევაზე მოხსენების“ მეშვეობით.

ვრცლად

Test Content-Security-Policy violation handling

  • 1 პასუხი
  • 0 მომხმარებელი წააწყდა მსგავს სიძნელეს
  • 2 ნახვა
  • ბოლოს გამოეხმაურა markwarner22

Hi,

I am developing a website of my own and in that website I want to implement a handler for Content-Security-Policy violation reports. I want to test if this handler works as I expect and therefore I have configured a webpage such that is will report CSP violations (I see them in the web developer console) and I want to have them sent to my application's CSP-violation handler.

In my test environment, the application is running on localhost. I have run my web application both on HTTP and HTTPS (with a self-signed certificate), but in neither case Firefox is sending any reports to my application.

My CSP headers look as follows: Content-Security-Policy: report-uri http://localhost:5281/csp-violation;base-uri 'none';default-src 'self';form-action 'none';frame-ancestors 'none';report-to csp-viol;script-src 'unsafe-eval' 'nonce-9FuQ3NuVoW66DT1ZU4w9EPSymnHE1/hg';style-src 'unsafe-eval' 'nonce-9FuQ3NuVoW66DT1ZU4w9EPSymnHE1/hg' Reporting-Endpoints: csp-viol=http://localhost:5281/csp-violation Report-To: {"group":"csp-viol","max_age":10886400,"endpoints":[{"url":"http://localhost:5281/csp-violation"}]}

When I run my application using HTTPS, all HTTP in the endpoints will also be HTTPS.

I have verified that when I post something by hand to http://localhost:5281/csp-violation, my handler is executed, so that is not the issue. I believe that Firefox is just not sending the reports. Is there a way to configure Firefox such that it will send the CSP violation reports to my application when run on HTTP(S) on localhost?

Sincerely, Marcel

Hi, I am developing a website of my own and in that website I want to implement a handler for Content-Security-Policy violation reports. I want to test if this handler works as I expect and therefore I have configured a webpage such that is will report CSP violations (I see them in the web developer console) and I want to have them sent to my application's CSP-violation handler. In my test environment, the application is running on localhost. I have run my web application both on HTTP and HTTPS (with a self-signed certificate), but in neither case Firefox is sending any reports to my application. My CSP headers look as follows: Content-Security-Policy: report-uri http://localhost:5281/csp-violation;base-uri 'none';default-src 'self';form-action 'none';frame-ancestors 'none';report-to csp-viol;script-src 'unsafe-eval' 'nonce-9FuQ3NuVoW66DT1ZU4w9EPSymnHE1/hg';style-src 'unsafe-eval' 'nonce-9FuQ3NuVoW66DT1ZU4w9EPSymnHE1/hg' Reporting-Endpoints: csp-viol=http://localhost:5281/csp-violation Report-To: {"group":"csp-viol","max_age":10886400,"endpoints":[{"url":"http://localhost:5281/csp-violation"}]} When I run my application using HTTPS, all HTTP in the endpoints will also be HTTPS. I have verified that when I post something by hand to http://localhost:5281/csp-violation, my handler is executed, so that is not the issue. I believe that Firefox is just not sending the reports. Is there a way to configure Firefox such that it will send the CSP violation reports to my application when run on HTTP(S) on localhost? Sincerely, Marcel

ყველა პასუხი (1)

This is just a Firefox browser user help forum not a support ticket site for testing software.

გამოსადეგია?

დასვით კითხვა

უნდა შეხვიდეთ ანგარიშზე პასუხის დასაწერად. გთხოვთ, დასვათ ახალი შეკითხვა, თუ ჯერ არ გაქვთ ანგარიში.