Content-Security-Policy 阻止列入白名单的域

Content-Security-Policy Blocking Whitelisted Domains

我的网站已经 运行 a content-security-policy-report-only header 几个月了,在此期间,我看到了一些应该列入白名单的域的违规行为。该网站获得了足够的流量,而且报告的频率也足够低,似乎该政策必须按预期对大多数用户起作用。

以下报告显示了原始政策和有问题的违规行为:

{"csp-report":{
    "document-uri":"https://admin1.sitespect.com/",
    "referrer":"https://admin1.sitespect.com/",
    "violated-directive":"script-src-elem",
    "effective-directive":"script-src-elem",
    "original-policy": "
        report-uri /log/CSP/PolicyViolations?csptoken=ZTBXXVPXFRBRTETZFOQK;
        default-src 'self' 'unsafe-eval' 'unsafe-inline';
        frame-src * data:;
        img-src * data: blob:;
        script-src https://www.google.com https://js.hs-scripts.com https://*.receptive.io https://js.hsadspixel.net https://js.hs-banner.com https://js.hs-analytics.net https://js.hscollectedforms.net https://feedback.pendo.io https://www.googletagmanager.com https://www.googleadservices.com https://googleads.g.doubleclick.net https://forms.hubspot.com https://api.feedback.eu.pendo.io https://js.usemessages.com 'self' 'unsafe-inline' 'unsafe-eval';
        script-src-elem https://www.google.com https://js.hs-scripts.com https://*.receptive.io https://js.hsadspixel.net https://js.hs-banner.com https://js.hs-analytics.net https://js.hscollectedforms.net https://feedback.pendo.io https://www.googletagmanager.com https://www.googleadservices.com https://googleads.g.doubleclick.net https://forms.hubspot.com https://api.feedback.eu.pendo.io https://js.usemessages.com 'self' 'unsafe-inline' 'unsafe-eval';
        connect-src https://api.feedback.eu.pendo.io https://api.hubapi.com https://forms.hubspot.com https://recs.sitespect.net https://*.receptive.io https://api.hubspot.com 'self';
        worker-src 'self' 'unsafe-eval' 'unsafe-inline' blob:;",
    "disposition":"report",
    "blocked-uri":"https://feedback.pendo.io/js/widget/widget.js",
    "status-code":0,
    "script-sample":""
}}

我的保单中是否遗漏了什么?我知道 CSP 的执行偶尔会因浏览器而异 - 过去一个月的违规行为来自 Chrome 87,基于用户代理,但我不能保证所有情况都是如此。

答案在违规报告的 "status-code":0, 字符串中。 0(真的是空的)表示当浏览器尝试加载 https://feedback.pendo.io/js/widget/widget.js.

时没有返回 HTTP 状态码

这是因为 Ads blokers 阻止了连接。 pendo.io 域包含在黑名单中,例如 AdBlock and AdGuard

浏览器无法访问此类“列入白名单”的域,也无法获得任何 HTTP 状态代码(200 OK、301/304/403/404/500 等)。因此,一些浏览器错误地将此视为 CSP 违规,而不是网络错误。