Skip to main content

Violation reporting is configured

ab-001329 · extension-permissions-security.content-security-policy.violation-reporting
Severity: infoactive

Why it matters

Without CSP violation reporting, you have no signal when your extension's security policy is being actively exercised — either by legitimate-but-unexpected resource loads during development, or by an attacker probing injection paths in the wild. NIST SP 800-53 SI-7 (Software, Firmware, and Information Integrity) requires detective controls to surface policy violations. A report-uri or report-to endpoint gives you an event stream of blocked requests, which is the only way to distinguish a misconfigured CSP from an ongoing attack attempt. This is an observability gap, not a direct vulnerability — but the absence of signal means breaches go undetected longer.

Severity rationale

Info because absence of violation reporting does not directly increase attack surface, but eliminates the detective control needed to identify active exploitation or CSP misconfiguration in production.

Remediation

Add a report-uri endpoint to your CSP in manifest.json. Any HTTPS endpoint that accepts a POST with Content-Type: application/csp-report will work — services like Report URI or your own logging endpoint.

"content_security_policy": {
  "extension_pages": "script-src 'self'; object-src 'none'; report-uri https://csp.yourdomain.com/report"
}

For modern browsers, prefer report-to with a named reporting group, though report-uri has wider compatibility across extension-hosting surfaces.

Detection

  • ID: extension-permissions-security.content-security-policy.violation-reporting

  • Severity: info

  • What to look for: Search the CSP in manifest.json for report-uri or report-to directives. Count the number of reporting endpoints configured. Also check for any CSP violation handling code in the extension.

  • Pass criteria: At least 1 reporting endpoint is configured via report-uri or report-to in the CSP to catch CSP violations in the wild. The endpoint URL should be a valid HTTPS destination.

  • Fail criteria: No reporting configured in the CSP string.

  • Skip (N/A) when: Development builds only, not released to store.

  • Detail on fail: "No CSP violation reporting configured in manifest.json."

  • Remediation: Add a report-uri to catch when your CSP blocks unexpected scripts or resources, helping you debug issues or detect attacks.

    "content_security_policy": { "extension_pages": "script-src 'self'; report-uri https://csp.example.com/report" }

External references

Taxons

observability

History