In our web application, we have a CSP that is configured only as a report, but one day we would like to arm it so that it blocks potentially harmful content. We seem to be getting erroneous reports from iOS 8.2 (iPad and iPhone) that look like this:
{"csp-report":{"document-uri":"https://one.two.example.edu.us/", "referrer":"", "violated-directive":"font-src 'self' *.googleapis.com *.gstatic.com", "original-policy":"default-src crwebinvoke: crwebinvokeimmediate: crwebnull: 'self' https://localhost:0/chromecheckurl 'self' localhost:* data: wss://localhost:* ws://localhost:* ; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.googleapis.com localhost:*; style-src 'self' 'unsafe-inline' *.googleapis.com code.jquery.com; font-src 'self' *.googleapis.com *.gstatic.com; report-uri /CSP/Report", "blocked-uri":"null", "source-file":"https://one.two.example.edu.us/bundles/vender-head?v=0dU-czAflklsV7hMNDvsoTAY6f5NVb4pP01dZ_rIvO81", "line-number":1}}
The uri document and the source file are identical. Therefore, I cannot understand why Mobile Safari for iOS 8.2 will require this to violate font-src 'self', as this is clearly a self-contained document.
Users seem to be using iOS:
Mozilla/5.0 (iPhone; CPU iPhone OS 8_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/41.0.2272.58 Mobile/12D508 Safari/600.1.4 Mozilla/5.0 (iPad; CPU OS 8_1_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12B440 Safari/600.1.4
Has anyone come across this and found a job? I'm worried that if I arm the CSP, it will start blocking these fonts for iOS users.
source share