Content-Security-Policy-Report-Only - 报告数据为空或不正确
Content-Security-Policy-Report-Only - Empty or incorrect report data
我对 CSP 报告数据 (Content-Security-Policy-Report-Only) 有疑问。
在报告中我只得到根域https://******.com。但我期待完整路径。
Referrer 总是空的,但我需要获取此数据。
例如:<iframe src="https://*******.com/en/login" width="800" height="800" title="Test Frame"></iframe>.
有人可以帮我解决这个问题吗?
Header: 'Content-Security-Policy-Report-Only: frame-ancestors 'self'; report-uri https://******.com/api/security-report'
{
"csp-report": {
"document-uri": "https://******.com/",
"referrer": "",
"violated-directive": "frame-ancestors",
"effective-directive": "frame-ancestors",
"original-policy": "frame-ancestors 'self'; report-uri https://******.com/api/security-report",
"disposition": "report",
"blocked-uri": "https://******.com/",
"status-code": 200,
"script-sample": ""
}
}
根据this 文章:
The spec further states that if the violating URI is from the same origin as the document-uri, the URI fragment can remain. If not, only the URI origin should be reported. Only Firefox did this incorrectly. For Firefox 5.0 - 41.0, it always reported the full URI, including the fragment, for every blocked-uri value. All other browsers that reported a blocked-uri (some older browsers didn’t) correctly reported the URI with and without the fragment in the correct cases.
你得到的 blocked-uri 可以根据发生违规的来源、你使用的浏览器 - 你的 csp 版本等而有所不同。你可以更改其中任何一个以再次测试你的要求。
关于引荐来源,您没有任何引荐来源触发 CSP 报告,因为 none 违规资源是由引荐来源引起的。
- the article 也会用清楚的解释来说明这一点。
我对 CSP 报告数据 (Content-Security-Policy-Report-Only) 有疑问。
在报告中我只得到根域https://******.com。但我期待完整路径。
Referrer 总是空的,但我需要获取此数据。
例如:<iframe src="https://*******.com/en/login" width="800" height="800" title="Test Frame"></iframe>.
有人可以帮我解决这个问题吗?
Header: 'Content-Security-Policy-Report-Only: frame-ancestors 'self'; report-uri https://******.com/api/security-report'
{
"csp-report": {
"document-uri": "https://******.com/",
"referrer": "",
"violated-directive": "frame-ancestors",
"effective-directive": "frame-ancestors",
"original-policy": "frame-ancestors 'self'; report-uri https://******.com/api/security-report",
"disposition": "report",
"blocked-uri": "https://******.com/",
"status-code": 200,
"script-sample": ""
}
}
根据this 文章:
The spec further states that if the violating URI is from the same origin as the document-uri, the URI fragment can remain. If not, only the URI origin should be reported. Only Firefox did this incorrectly. For Firefox 5.0 - 41.0, it always reported the full URI, including the fragment, for every blocked-uri value. All other browsers that reported a blocked-uri (some older browsers didn’t) correctly reported the URI with and without the fragment in the correct cases.
你得到的 blocked-uri 可以根据发生违规的来源、你使用的浏览器 - 你的 csp 版本等而有所不同。你可以更改其中任何一个以再次测试你的要求。
关于引荐来源,您没有任何引荐来源触发 CSP 报告,因为 none 违规资源是由引荐来源引起的。
- the article 也会用清楚的解释来说明这一点。