Violation report received:
{
"csp-report"=>{
"document-uri"=>"https://clixiedev-alf.ngrok.io/home",
"referrer"=>"",
"violated-directive"=>"style-src 'self' fonts.googleapis.com",
"effective-directive"=>"style-src",
"original-policy"=>"default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline' 'unsafe-eval'; frame-ancestors 'self'; font-src 'self' fonts.gstatic.com; style-src 'self' fonts.googleapis.com; script-src 'self' www.gstatic.com; report-uri https://clixiedev-alf.ngrok.io/report_csp/",
"blocked-uri"=>"",
"status-code"=>0
}}
This occurs when trying to load the styles from fonts.googleapis.com, as defined in the CSP directive for style-src:
style-src 'self' fonts.googleapis.com;
{"csp-report"=>{
"document-uri"=>"https://clixiedev-alf.ngrok.io/home",
"referrer"=>"",
"violated-directive"=>"script-src 'self' www.gstatic.com",
"effective-directive"=>"script-src",
"original-policy"=>"default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline' 'unsafe-eval'; frame-ancestors 'self'; font-src 'self' fonts.gstatic.com; style-src 'self' fonts.googleapis.com; script-src 'self' www.gstatic.com; report-uri https://clixiedev-alf.ngrok.io/report_csp/",
"blocked-uri"=>"",
"status-code"=>0
}}
this happends when trying to load a script from www.gstatic.com, as defined in the CSP directive for script-src:
script-src 'self' www.gstatic.com;
The CSP headers I have configured is:
default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline' 'unsafe-eval'; frame-ancestors 'self'; font-src 'self' fonts.gstatic.com; style-src 'self' fonts.googleapis.com; script-src 'self' www.gstatic.com; report-uri https://clixiedev-alf.ngrok.io/report_csp/
Do you have any idea why this is happening? Or any suggestion that would help in the resolution of this issue?
Thanks