relay icon indicating copy to clipboard operation
relay copied to clipboard
verified publisher icon getsentry

[CSP] Incorrect `script-src` handling

Open lobsterkatie opened this issue 1 year ago • 0 comments

In messing around with our CSP-handling code and looking at a bunch of example CSP events in the process of teaching the grouphash metadata helpers how to gather data on security reports, I discovered that we're interpreting the unsafe-eval and unsafe-inline keywords backwards.

This is from our logic which turns an incoming CSP report into a Sentry event:

https://github.com/getsentry/relay/blob/9b39f40d8dde6bafffa584342a84906e178c7006/relay-event-schema/src/protocol/security_report.rs#L329-L332

But according to MDN (here, capitalization mine):

If a page has a CSP header and ‘unsafe-eval’ ISN’T specified with the script-src directive, the following methods are blocked and won’t have any effect:

  • eval() etc.

And it’s the same idea for unsafe-inline. So IOW, having one of those in your script-src directive ALLOWS eval and/or inline scripts, not blocks them.

According to the spec, inline script violations have blocked-uri: inline and eval violations have blocked-uri: eval, so it seems like that's what we should be looking for instead. (See point 4 here.)

UPDATE: Added https://github.com/getsentry/sentry/issues/81531 to track making sure the sentry side of things is updated once this is fixed.

lobsterkatie avatar Dec 02 '24 20:12 lobsterkatie