-
Notifications
You must be signed in to change notification settings - Fork 37
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Research multiple csp violation error caught on production api logs #3198
Comments
CSP Highlights:
|
With the help of @jason-upchurch python program that extracts and displays the directives in a table format i have uploaded the results here:
thanks @jason-upchurch for all the help. We can reuse python script below to export only the csp report directives into a table. |
@patphongs could you please take a look at the violated directives and make necessary code changes on cms or api? Later we can deploy and test if any new directive are being flagged in the logs. I can create a follow up ticket if we decide to make any code changes. |
Thanks @pkfec for the report. It's hard for me to tell where these violations are happening with this data. Even though it provides the URL, when I go to the page of the violation, I don't see any CSP errors reported in the console. I'll need some more time to analyze it I think. |
@patphongs Like i mentioned, these reports are OS and browser specific. I had hard time reproducing the reports on my local.
|
research complete and closing. |
Summary
Content security policy is blocking google analytics and DAP analytics from the front end portion of the API: https://api.open.fec.gov/developers/
Examples of violations
2019-09-24T15:55:26.04-0400 [APP/PROC/WEB/5] ERR {'csp-report': {'document-uri': 'https://www.fec.gov/data/candidates/?election_year=2020&party=DEM&state=TX&district=31', 'referrer': '', 'violated-directive': 'img-src', 'effective-directive': 'img-src', 'original-policy': "default-src 'self' .fec.gov .app.cloud.gov https://www.google-analytics.com; frame-src 'self' https://www.google.com/recaptcha/ https://www.youtube.com/; img-src 'self' data: https://.ssl.fastly.net https://www.google-analytics.com .app.cloud.gov; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.google-analytics.com https://polyfill.io https://dap.digitalgov.gov; style-src 'self' data: 'unsafe-inline'; object-src 'none'; report-uri https://api.open.fec.gov/report-csp-violation/?api_key=oXy*************;", 'disposition': 'enforce', 'blocked-uri': 'https://datapro.website/metric/?mid=&wid=52526&sid=&tid=8385&rid=URL_IGNOREDOMAIN&t=1569354925660', 'status-code': 0, 'script-sample': ''}}```
2019-09-24T15:59:45.43-0400 [APP/PROC/WEB/1] ERR {‘csp-report’: {‘document-uri’: ’https://www.fec.gov/data/elections/house/CA/25/2020/', ‘referrer’: ‘https://www.fec.gov/data/elections/?cycle=2020&zip=91350’, ‘violated-directive’: ‘font-src’, ‘effective-directive’: ‘font-src’, ‘original-policy’: “default-src ‘self’ *.fec.gov .app.cloud.gov https://www.google-analytics.com; frame-src ‘self’ https://www.google.com/recaptcha/ https://www.youtube.com/; img-src ‘self’ data: https://.ssl.fastly.net https://www.google-analytics.com *.app.cloud.gov; script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.google-analytics.com https://polyfill.io https://dap.digitalgov.gov; style-src ‘self’ data: ‘unsafe-inline’; object-src ‘none’; report-uri https://api.open.fec.gov/report-csp-violation/?api_key=oXy***************;“, ‘disposition’: ‘enforce’, ‘blocked-uri’: ‘data’, ‘status-code’: 0, ‘script-sample’: ‘’}}
2019-09-24T16:06:28.01-0400 [APP/PROC/WEB/0] ERR {'csp-report': {'document-uri': 'https://www.fec.gov/data/', 'referrer': '', 'violated-directive': 'font-src', 'effective-directive': 'font-src', 'original-policy': "default-src 'self' .fec.gov .app.cloud.gov https://www.google-analytics.com; frame-src 'self' https://www.google.com/recaptcha/ https://www.youtube.com/; img-src 'self' data: https://.ssl.fastly.net https://www.google-analytics.com .app.cloud.gov; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.google-analytics.com https://polyfill.io https://dap.digitalgov.gov; style-src 'self' data: 'unsafe-inline'; object-src 'none'; report-uri https://api.open.fec.gov/report-csp-violation/?api_key=oXy************;", 'disposition': 'enforce', 'blocked-uri': 'data', 'status-code': 0, 'script-sample': ''}}
** Screen shot from browser console **
Completion Criteria
The text was updated successfully, but these errors were encountered: