I listen to a few infosec related podcasts, and follow a few people on Twitter in that space. In this particular instance, Scott Helme and Troy Hunt – they built a service called Report URI, and it’s fantastic. It implements a reporting service for violations of Content Security Policy declarations, which can turn up some interesting things.

CSPs are basically, a way for your web server to tell a browser where it can load CSS, JS, iframes, workers etc from. You can run in report-only mode, or enforcement mode. In either case, I’ve got the server configured to tell the browser to send reports to Report URI. In report-only mode, the browser only reports when a violation has occurred, but takes no action otherwise. This is good for getting started, and making sure your policy is correct. In enforcement mode, the browser will flat out refuse to load the resource that violates the policy; this can break a site, which is why report-only mode is a good starting point.

Browsing my reports just now, I saw an enforcement action that I’d not seen before – the browser of someone visiting the site reported that it had enforced a block on loading something from smartlink dot cool. The js file that was blocked had some plain text in it, and from there I was able to find out that it’s not something on my server violating the policy; instead it was an extension in the visitor’s Chrome browser that tried to load some potentially malicious code when they visited my site. I have no idea who the visitor is with the compromised extension; Report URI is anonymized – there’s only a timestamp, and what the violation was.

Report URI is a good thing
Tagged on: