Is it possible to capture CSP errors via Javascript

Question

Is it possible to capture CSP errors via Javascript

I have added Content-Security-Policy to the header of my site and I am trying to log Client Side Content-Security-Policy errors using Javascript.

Can you please let me know any opportunity to capture CSP errors via Javascript

+3

javascript content-security-policy error-logging

Lokesh kumar 06 Aug 15 at 15:15

source to share

2 answers

Kevin Hakanson · Answer 1 · 2016-01-01T16:42:54+0000

A SecurityPolicyViolationEvent DOM Event has been added to Content Security Policy Level 2 . From the section Changes from level 1 :

A SecurityPolicyViolationEvent is fired from violations, as described in §6.3. Eliminate threat events .

However, browser support is limited (see http://caniuse.com/#feat=contentsecuritypolicy2 )

ehfeng · Answer 2 · 2016-08-11T22:44:18+0000

The headers can include report-uri

which specifies the endpoint for reporting CSP violations. You can collect them yourself or send them to a bug reporting service such as Sentry .

def middleware(request, response):
    response['Content-Security-Policy'] = \
        "default-src *; " \
        "script-src 'self' 'unsafe-eval' 'unsafe-inline' cdn.example.com cdn.ravenjs.com; " \
        "style-src 'self' 'unsafe-inline' cdn.example.com; " \
        "img-src * data:; " \
        "report-uri https://app.getsentry.com/api/54785/csp-report/?sentry_key=SENTRY_KEY"
    return response

Is it possible to capture CSP errors via Javascript

More articles: