Research multiple csp violation error caught on production api logs #3198
Comments
lbeaufort
changed the title
|
CSP Highlights:
|
|
With the help of @jason-upchurch python program that extracts and displays the directives in a table format i have uploaded the results here:
thanks @jason-upchurch for all the help. We can reuse python script below to export only the csp report directives into a table. |
|
@patphongs could you please take a look at the violated directives and make necessary code changes on cms or api? Later we can deploy and test if any new directive are being flagged in the logs. I can create a follow up ticket if we decide to make any code changes. |
|
Thanks @pkfec for the report. It's hard for me to tell where these violations are happening with this data. Even though it provides the URL, when I go to the page of the violation, I don't see any CSP errors reported in the console. I'll need some more time to analyze it I think. |
|
@patphongs Like i mentioned, these reports are OS and browser specific. I had hard time reproducing the reports on my local.
|
|
research complete and closing. |
Summary
Content security policy is blocking google analytics and DAP analytics from the front end portion of the API: https://api.open.fec.gov/developers/
Examples of violations
2019-09-24T15:55:26.04-0400 [APP/PROC/WEB/5] ERR {'csp-report': {'document-uri': 'https://www.fec.gov/data/candidates/?election_year=2020&party=DEM&state=TX&district=31', 'referrer': '', 'violated-directive': 'img-src', 'effective-directive': 'img-src', 'original-policy': "default-src 'self' .fec.gov .app.cloud.gov https://www.google-analytics.com; frame-src 'self' https://www.google.com/recaptcha/ https://www.youtube.com/; img-src 'self' data: https://.ssl.fastly.net https://www.google-analytics.com .app.cloud.gov; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.google-analytics.com https://polyfill.io https://dap.digitalgov.gov; style-src 'self' data: 'unsafe-inline'; object-src 'none'; report-uri https://api.open.fec.gov/report-csp-violation/?api_key=oXy*************;", 'disposition': 'enforce', 'blocked-uri': 'https://datapro.website/metric/?mid=&wid=52526&sid=&tid=8385&rid=URL_IGNOREDOMAIN&t=1569354925660', 'status-code': 0, 'script-sample': ''}}```
2019-09-24T15:59:45.43-0400 [APP/PROC/WEB/1] ERR {‘csp-report’: {‘document-uri’: ’https://www.fec.gov/data/elections/house/CA/25/2020/', ‘referrer’: ‘https://www.fec.gov/data/elections/?cycle=2020&zip=91350’, ‘violated-directive’: ‘font-src’, ‘effective-directive’: ‘font-src’, ‘original-policy’: “default-src ‘self’ *.fec.gov .app.cloud.gov https://www.google-analytics.com; frame-src ‘self’ https://www.google.com/recaptcha/ https://www.youtube.com/; img-src ‘self’ data: https://.ssl.fastly.net https://www.google-analytics.com *.app.cloud.gov; script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.google-analytics.com https://polyfill.io https://dap.digitalgov.gov; style-src ‘self’ data: ‘unsafe-inline’; object-src ‘none’; report-uri https://api.open.fec.gov/report-csp-violation/?api_key=oXy***************;“, ‘disposition’: ‘enforce’, ‘blocked-uri’: ‘data’, ‘status-code’: 0, ‘script-sample’: ‘’}}
2019-09-24T16:06:28.01-0400 [APP/PROC/WEB/0] ERR {'csp-report': {'document-uri': 'https://www.fec.gov/data/', 'referrer': '', 'violated-directive': 'font-src', 'effective-directive': 'font-src', 'original-policy': "default-src 'self' .fec.gov .app.cloud.gov https://www.google-analytics.com; frame-src 'self' https://www.google.com/recaptcha/ https://www.youtube.com/; img-src 'self' data: https://.ssl.fastly.net https://www.google-analytics.com .app.cloud.gov; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.google-analytics.com https://polyfill.io https://dap.digitalgov.gov; style-src 'self' data: 'unsafe-inline'; object-src 'none'; report-uri https://api.open.fec.gov/report-csp-violation/?api_key=oXy************;", 'disposition': 'enforce', 'blocked-uri': 'data', 'status-code': 0, 'script-sample': ''}}
** Screen shot from browser console **
Completion Criteria
The text was updated successfully, but these errors were encountered: