Is it possible to capture CSP errors via Javascript
2 answers
A SecurityPolicyViolationEvent DOM Event has been added to Content Security Policy Level 2 . From the section Changes from level 1 :
A SecurityPolicyViolationEvent is fired from violations, as described in ยง6.3. Eliminate threat events .
However, browser support is limited (see http://caniuse.com/#feat=contentsecuritypolicy2 )
+2
source to share
The headers can include report-uri
which specifies the endpoint for reporting CSP violations. You can collect them yourself or send them to a bug reporting service such as Sentry .
def middleware(request, response):
response['Content-Security-Policy'] = \
"default-src *; " \
"script-src 'self' 'unsafe-eval' 'unsafe-inline' cdn.example.com cdn.ravenjs.com; " \
"style-src 'self' 'unsafe-inline' cdn.example.com; " \
"img-src * data:; " \
"report-uri https://app.getsentry.com/api/54785/csp-report/?sentry_key=SENTRY_KEY"
return response
0
source to share