Snyk Community

JakobTheDev
JakobTheDev

Posted on

Hey everybody, has anybody come across a way to test if CSP or mixed content is blocking content from loading in the browser?

Thinking about building something but it would be handy to know if there's anything out there that does this already.

Discussion (11)

Collapse
shai_alon profile image
Shai Alon

You need to connect your CSP to send browser reports of violations (blocks).
You can use rapidsec.com that helps you easily generate a good CSP that will block attacks, but allow legitimate parts of your site.

Collapse
devseccon profile image
DevSecCon

This post was originally asked in the DevSecCon Slack
If you haven't yet done so, you can join here.

Collapse
snykcommunity profile image
SnykCommunity

Would the report-uri bit of CSP be useful here, or am I misunderstanding?

Collapse
snykcommunity profile image
SnykCommunity • Edited
Collapse
snykcommunity profile image
SnykCommunity

The report-uri endpoint of CSP is meant to collect these notifications. This tries to normalize them. I know of a browser plugin being developed to help with this as well. Don't have an ETA

Collapse
jakobthedev profile image
JakobTheDev Author

Of course, report-uri totally makes sense. Thanks, I'll check out csper too 😄

Thread Thread
ramirezj profile image
James Ramirez
Collapse
ramirezj profile image
James Ramirez

Is csp-evaluator.withgoogle.com/ something you've tried?

Collapse
jakobthedev profile image
JakobTheDev Author

Thanks, that looks useful! But not quite what I'm after in this case. Part of our manual testing is to open devtools and make sure there are no errors where legitimate content is being blocked due to CSP or mixed-content. It would be handy to automate that as a post-deploy check.

Collapse
ramirezj profile image
James Ramirez

Ah, not come across anything but interested if you find something

Thread Thread
jakobthedev profile image
JakobTheDev Author

It should be pretty straightforward to spin up a headless browser then report on any console errors. I'll keep looking and will post back here if I find anything