Firefox中的CSP阻止了Google Analytics(分析)URL,而CSP允许了被阻止的URL

时间:2020-07-09 22:44:16

标签: firefox google-analytics content-security-policy

我们的网络应用程序中定义了一个CSP(Content-Security-Policy-Report-Only),该CSP在iframe中运行。此CSP允许在script-src指令中使用https://www.google-analytics.com/analytics.js。尽管如此,我们仍收到大量有关阻止https://www.google-analytics.com/analytics.js的CSP报告。这仅在以下各种操作系统的Firefox(74-78)中发生:Windows 10,Linux(Ubunu)和macOS(我们在sentry.io中看到了此信息,该文件夹收集了所有CSP报告)。这是此类报告的示例。

{
  "csp-report": {
    "blocked_uri": "https://www.google-analytics.com/analytics.js",
    "referrer": "",
    "violated_directive": "script-src",
    "document_uri": "https://ourappdomain.herokuapp.com",
    "original_policy": "style-src 'report-sample' 'unsafe-inline' https://ourappdomain.herokuapp.com https://d301sr5gafysq2.cloudfront.net https://aui-cdn.atlassian.com/aui-adg/6.0.0/css/aui.min.css https://aui-cdn.atlassian.com/aui-adg/6.0.0/css/aui-experimental.min.css; script-src 'report-sample' 'unsafe-eval' https://ourappdomain.herokuapp.com https://bitbucket.org/atlassian-connect/all.js https://www.google-analytics.com/analytics.js https://aui-cdn.atlassian.com/aui-adg/6.0.0/js/aui.min.js https://aui-cdn.atlassian.com/aui-adg/6.0.0/js/aui-soy.min.js https://aui-cdn.atlassian.com/aui-adg/6.0.0/js/aui-experimental.min.js https://aui-cdn.atlassian.com/aui-adg/6.0.0/js/aui-datepicker.min.js https://cdnjs.cloudflare.com/ajax/libs/require.js/2.3.6/require.min.js https://cdnjs.cloudflare.com/ajax/libs/underscore.js/1.8.3/underscore-min.js https://cdnjs.cloudflare.com/ajax/libs/backbone.js/1.3.3/backbone-min.js https://cdnjs.cloudflare.com/ajax/libs/lodash.js/3.8.0/lodash.min.js https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.3/jquery.min.js https://cdnjs.cloudflare.com/ajax/libs/d3/5.7.0/d3.min.js https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.9-1/crypto-js.min.js https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.9.0/moment.min.js https://cdnjs.cloudflare.com/ajax/libs/react/16.13.1/umd/react.production.min.js https://cdnjs.cloudflare.com/ajax/libs/react-dom/16.13.1/umd/react-dom.production.min.js; form-action 'none'; connect-src https://ourappdomain.herokuapp.com https://api.bitbucket.org https://sentry.io https://www.google-analytics.com https://d301sr5gafysq2.cloudfront.net; img-src https:; font-src https://aui-cdn.atlassian.com; object-src 'none'; default-src 'none'; base-uri 'none'",
    "effective_directive": "script-src"
  }
}

为什么会发生这种情况?

0 个答案:

没有答案
相关问题
最新问题