hackademix
CSP media-src issue
I was analyzing CSP reports saying Content-Security-Policy: (Report-Only policy) The page’s settings would block the loading of a resource (media-src) at data: because it violates the following directive: “media-src 'none'” on a website we implement.
We do not have any audio or video on our site (it says here that it is connected to audio/video: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/media-src)
In order to debug, I removed the output bit by bit and refreshed, until the page was completely empty. The report was still created. I then switched of NoScript, refreshed the page, and the report was not created any more.
Is there any way to circumvent this? What exactly is the idea behind this? I mean what is NoScript doing that causes these reports, considering we ourselves do not use audio or video on our site?
