Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSP: all "Blocked 'script' from 'eval:'" reports are grouped together #31508

Open
patrakov opened this issue Feb 1, 2022 · 4 comments
Open

CSP: all "Blocked 'script' from 'eval:'" reports are grouped together #31508

patrakov opened this issue Feb 1, 2022 · 4 comments
Labels
Component: Issues Product Area: Issues

Comments

@patrakov
Copy link

patrakov commented Feb 1, 2022

Environment

self-hosted (https://develop.sentry.dev/self-hosted/)

Version

22.1.0

Steps to Reproduce

  1. Get a user who installs the "Adblock" (non-plus) Chrome extension.
  2. Get a CSP report from them

The report looks like this:

{
  "csp-report": {
    "effective_directive": "script-src",
    "blocked_uri": "eval",
    "document_uri": "about",
    "original_policy": "...; script-src 'self' 'unsafe-inline' 'report-sample' https://cdn.polyfill.io https://www.google.com https://www.gstatic.com; ...",
    "referrer": "",
    "status_code": 0,
    "violated_directive": "script-src",
    "line_number": 27,
    "column_number": 23,
    "script_sample": "(function injected(eventName, injectedIn",
    "disposition": "enforce"
  }
}
  1. Decide that it is useless, try to ignore.
  2. Look at the bottom, at the event grouping information, panic because you ignored too much.

Expected Result

Not sure. Maybe something that takes script_sample into account, and warns if the policy doesn't have report-sample?

Additionally, the ability to write a rule that says "all CSP reports with script_sample equal to (function injected(eventName, injectedIn are caused by AdBlock and should be ignored" would be good.

Actual Result

default
  csp
    salt (a static salt) script-src
    URL eval:

...which probably means that all "Blocked 'script' from 'eval:'" reports are grouped together. This particular CSP violation is caused by Adblock (and I have confirmed this with one user), but I would definitely not want this to be grouped together with real almost-successful XSS attempts.
@patrick-laa
Copy link

This would all be solvable if it was possible to add a custom issue grouping fingerprint rule where the script_sample was added to the fingerprint. Unfortunately that's not supported at the moment.

@getsantry getsantry bot moved this to Waiting for: Product Owner in GitHub Issues with 👀 Sep 7, 2023
@hubertdeng123
Copy link
Member

Thanks for bringing this up. I'm going to add this to the Issues backlog

@getsantry getsantry bot removed the status in GitHub Issues with 👀 Sep 8, 2023
@getsantry
Copy link
Contributor

getsantry bot commented Sep 8, 2023

Routing to @getsentry/product-owners-issues for triage ⏲️

@lobsterkatie
Copy link
Member

Possibly related to getsentry/relay#4323 and #81531.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Component: Issues Product Area: Issues
Projects
GitHub Issues with 👀
Status: No status
Milestone
No milestone
Development

No branches or pull requests
5 participants
@markstory @patrakov @lobsterkatie @hubertdeng123 @patrick-laa