為了改善您的使用體驗,本網站正在進行維護,部分功能暫時無法使用。若本站的文件無法解決您的問題,想要向社群發問的話,請到 Twitter 上的 @FirefoxSupport 或 Reddit 上的 /r/firefox 發問,我們的社群成員將很快會回覆您的疑問。

搜尋 Mozilla 技術支援網站

防止技術支援詐騙。我們絕對不會要求您撥打電話或發送簡訊,或是提供個人資訊。請用「回報濫用」功能回報可疑的行為。

了解更多

Test Content-Security-Policy violation handling

more options

Hi,

I am developing a website of my own and in that website I want to implement a handler for Content-Security-Policy violation reports. I want to test if this handler works as I expect and therefore I have configured a webpage such that is will report CSP violations (I see them in the web developer console) and I want to have them sent to my application's CSP-violation handler.

In my test environment, the application is running on localhost. I have run my web application both on HTTP and HTTPS (with a self-signed certificate), but in neither case Firefox is sending any reports to my application.

My CSP headers look as follows: Content-Security-Policy: report-uri http://localhost:5281/csp-violation;base-uri 'none';default-src 'self';form-action 'none';frame-ancestors 'none';report-to csp-viol;script-src 'unsafe-eval' 'nonce-9FuQ3NuVoW66DT1ZU4w9EPSymnHE1/hg';style-src 'unsafe-eval' 'nonce-9FuQ3NuVoW66DT1ZU4w9EPSymnHE1/hg' Reporting-Endpoints: csp-viol=http://localhost:5281/csp-violation Report-To: {"group":"csp-viol","max_age":10886400,"endpoints":[{"url":"http://localhost:5281/csp-violation"}]}

When I run my application using HTTPS, all HTTP in the endpoints will also be HTTPS.

I have verified that when I post something by hand to http://localhost:5281/csp-violation, my handler is executed, so that is not the issue. I believe that Firefox is just not sending the reports. Is there a way to configure Firefox such that it will send the CSP violation reports to my application when run on HTTP(S) on localhost?

Sincerely, Marcel

Hi, I am developing a website of my own and in that website I want to implement a handler for Content-Security-Policy violation reports. I want to test if this handler works as I expect and therefore I have configured a webpage such that is will report CSP violations (I see them in the web developer console) and I want to have them sent to my application's CSP-violation handler. In my test environment, the application is running on localhost. I have run my web application both on HTTP and HTTPS (with a self-signed certificate), but in neither case Firefox is sending any reports to my application. My CSP headers look as follows: Content-Security-Policy: report-uri http://localhost:5281/csp-violation;base-uri 'none';default-src 'self';form-action 'none';frame-ancestors 'none';report-to csp-viol;script-src 'unsafe-eval' 'nonce-9FuQ3NuVoW66DT1ZU4w9EPSymnHE1/hg';style-src 'unsafe-eval' 'nonce-9FuQ3NuVoW66DT1ZU4w9EPSymnHE1/hg' Reporting-Endpoints: csp-viol=http://localhost:5281/csp-violation Report-To: {"group":"csp-viol","max_age":10886400,"endpoints":[{"url":"http://localhost:5281/csp-violation"}]} When I run my application using HTTPS, all HTTP in the endpoints will also be HTTPS. I have verified that when I post something by hand to http://localhost:5281/csp-violation, my handler is executed, so that is not the issue. I believe that Firefox is just not sending the reports. Is there a way to configure Firefox such that it will send the CSP violation reports to my application when run on HTTP(S) on localhost? Sincerely, Marcel

所有回覆 (1)

more options

This is just a Firefox browser user help forum not a support ticket site for testing software.

有幫助嗎?

問個問題

如果您還沒有帳號,您必須先登入帳號 來回覆文章。還沒有帳號的話,只能發問新問題