Skip to content

Drop blocked-uri entirely from csp-reports for the frame-src directive #45624

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
fmarier opened this issue Apr 22, 2025 · 0 comments
Open

Drop blocked-uri entirely from csp-reports for the frame-src directive #45624

fmarier opened this issue Apr 22, 2025 · 0 comments
Labels
sec-low security

Comments

@fmarier
Copy link
Member

fmarier commented Apr 22, 2025

As discussed on web-platform-tests/wpt#27384, reporting the blocked-uri for the in CSP reports is problematic in the presence of redirects. Chrome settled on two things:

  1. truncating the URL down to the origin for cross-origin reports
  2. using the request URL and not the final post-redirect URL for directives other than frame-src (https://issues.chromium.org/issues/40054636)

The commit implementing this second mitigation has the following comment:

we should probably consider dropping reporting completely for frame-src.

though that was never done, as can be seen on my test page.

I don't know whether they will ever do it, but I propose we drop the blocked-uri entirely for the frame-src directive in the meantime.

Also reported to us in https://hackerone.com/reports/3027234.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
sec-low security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fmarier @diracdeltas