In Chrome 73.0.3683.103 console, as of today, I am seeing the following error:
The Content Security Policy 'script-src 'report-sample' 'nonce-PNYOS1z63mBa/Tqkqyii' 'unsafe-inline';object-src 'none';base-uri 'self'' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
I believe this is from script src=".js"... Everything seems to work. The initiator seems to be .html?usegapi=1...
What is causing this and how can I fix it?
Edit: As of today, I am no longer seeing the error. So I assume google has fixed this issue.
In Chrome 73.0.3683.103 console, as of today, I am seeing the following error:
The Content Security Policy 'script-src 'report-sample' 'nonce-PNYOS1z63mBa/Tqkqyii' 'unsafe-inline';object-src 'none';base-uri 'self'' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
I believe this is from script src="https://apis.google./js/platform.js"... Everything seems to work. The initiator seems to be https://content.googleapis./static/proxy.html?usegapi=1...
What is causing this and how can I fix it?
Edit: As of today, I am no longer seeing the error. So I assume google has fixed this issue.
Share Improve this question edited Apr 17, 2019 at 0:10 Ted Scheckler asked Apr 5, 2019 at 13:47 Ted SchecklerTed Scheckler 1,5114 gold badges19 silver badges41 bronze badges3 Answers
Reset to default 9 +25If the parent page is owned by you there's a couple of things you can do to correct this. If the parent page is not owned by you, there's nothing you can do, but this warning won't affect your experience.
First some background:
What is CSP?
A Content Security Policy or CSP is a header your server can set which tells the browser to enforce a whitelist of what content can run on your page, where it can e from, and how it can run. For example, you can limit what domains JavaScript is allowed to be fetched from, whether JavaScript can run inline, or where JavaScript can make xhr calls out to.
CSP can run in two modes: blocking and reporting.
In blocking mode the browser enforces the policy laid out in the CSP and applies those restrictions to your webpage. In blocking mode you can optionally have any blocked content be reported back to an endpoint you specify in the report-uri directive of the CSP. In reporting mode nothing is blocked only things that would get blocked get reported to the endpoint specified in the policies report-uri directive.
Your specific issue
The browser warning says that you're running in reporting mode but you haven't specified a report-uri so it doesn't know where to report violations. In effect, your CSP is doing nothing other than wasting bandwidth because it's not reporting or blocking any issues it's finding.
That leaves you with a few options:
- Do nothing. Your CSP won't alert you about any issues (outside of messages in the console) and it won't block any content.
- Add a
report-uri(something likereport-uri: https://example./csp_reports) to receive requests. Even if you're not receiving anything at that endpoint your specific console warning will disappear (you'll still get console errors for specific CSP violations even if they aren't blocked). - Switch the CSP into blocking mode. You won't receive any reports but the warning will disappear as the CSP now serves a purpose of blocking content. Caution don't do this if it's saying it's blocking a lot of things. That's indicative that your site might break. First, fix the issues it's blocking by adjusting the CSP or changing what resources you're using and then flip it into blocking mode.
- Switch the CSP into blocking mode and add a
report-uri. Long term, this is best solution from a security standpoint but the warning from step 3 applies.
- Switch the CSP into blocking mode and add a
If it was me, I would first add a report-uri to understand what warnings my page is generating (note some might be triggered by browser extensions - nothing you can do about that, but that's okay). Once I understand the mon warnings I'd tweak the CSP and what resources I have to make sure the page is loading without any warnings or errors in the console. Then I'd switch the CSP into blocking mode to take advantage of the security benefits it provides.
This is related to the server/backend level settings.
If you have access to your server from where code is served, you can set the header settings. So currently Content-Security-Policy-Report-Only this has been set without all required parameters. You can just check there and either remove this header (if not required), or set the required parameters.
You can find the header details from here
One possible solution is to remove some of the Chrome extensions. I had a similar issue in the past, and I was able to resolve it by disabling certain extensions that might have been conflicting with the Content Security Policy. By doing so, it allowed the web page to load without triggering the error. I remend trying this approach and see if it helps in resolving the issue.
Please note that this solution may not work in all cases, as the cause of the Content Security Policy error can vary. However, removing conflicting extensions is a good first step in troubleshooting and addressing such issues.
Remember to always review the extensions you remove and consider the impact they might have on your browsing experience or the functionality they provide.