Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Content Security Policy is Blocking URI in Allowed Domain

Tags:

content-security-policy

I have the following content security policy set in my .htaccess file:

default-src 'none'; \
        form-action 'self'; \
        frame-ancestors 'none'; \
        font-src 'self' data: fonts.gstatic.com *.fontawesome.com; \
        img-src 'self' data: www.google-analytics.com www.facebook.com; \
        script-src 'self' 'unsafe-inline' www.google-analytics.com ssl.google-analytics.com www.google.com www.gstatic.com ajax.cloudflare.com www.googletagmanager.com connect.facebook.net *.fontawesome.com; \
        style-src 'self' 'unsafe-inline' fonts.googleapis.com *.fontawesome.com; \
        connect-src 'self' www.google-analytics.com *.fontawesome.com; \
        frame-src www.google.com; \
        base-uri 'none'; \
        report-uri /csp-report.php

When I visit the site, I don't get any CSP messages in the developer tools console. However, I am getting reports via my report-uri like this:

blocked-uri: https://www.google-analytics.com/analytics.js
document-uri: https://URL.com/
original-policy: default-src 'none'; form-action 'self'; frame-ancestors 'none'; font-src 'self' data: https://fonts.gstatic.com https://*.fontawesome.com; img-src 'self' data: https://www.google-analytics.com https://www.facebook.com; script-src 'self' 'unsafe-inline' https://www.google-analytics.com https://ssl.google-analytics.com https://www.google.com https://www.gstatic.com https://ajax.cloudflare.com https://www.googletagmanager.com https://connect.facebook.net https://*.fontawesome.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://*.fontawesome.com; connect-src 'self' https://www.google-analytics.com https://*.fontawesome.com; frame-src https://www.google.com; base-uri 'none'; report-uri https://URL.com/csp-report.php
referrer:
violated-directive: script-src

It is always the same URI, https://www.google-analytics.com/analytics.js that is being blocked, and I can't figure out why. Is this due to something on the user's end blocking Google Analytics?

like image 209
kmlucy Avatar asked Oct 21 '25 16:10

kmlucy

1 Answers

I had the same issue. I was able to trace this down to browser extensions based on this SO answer.

TL;DR; is that browser extensions load up google analytics and they get blocked by CSP but it shows as if it originated out of your site.

like image 87
Gavin Miller Avatar answered Oct 25 '25 19:10

Gavin Miller
Sign in to Comment

Related questions

500 Internal Server Error when setting Content-Security-Policy header in .htaccess
How to define nonce for style-src-attr or script-src-attr?
How configure Csp in Nuxt 3?
How to inject script into a page using bookmarklet if the Content Security Policy is enabled on the server?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!