Our web server constantly gets CSP reports of violations even though we have added the domain as well as even a wildcard to just allow all for api2.amplitude.com.
"original-policy":"base-uri 'self';object-src 'none'; report-uri /csp-report; img-src 'self' data: *;style-src 'unsafe-eval' 'unsafe-inline' 'self' *; font-src 'unsafe-eval' 'unsafe-inline' 'self' data: *; connect-src 'report-sample' 'self' api2.amplitude.com *; media-src 'self' blob: data: *; script-src 'unsafe-eval' 'unsafe-inline' 'report-sample' 'self' cdn.amplitude.com https://maps.googleapis.com https://maps.gstatic.com https://connect.facebook.net; default-src 'unsafe-eval' 'unsafe-inline' 'report-sample' 'self' cdn.amplitude.com;",
This keeps saying that we are violating connect-src but our connect-src policy is: connect-src 'report-sample' 'self' api2.amplitude.com *;
We’ve tried with just the wildcard as well but same result.
Currently api2.amplitude.com is the only one trigger the violation.
FYI, we still get events from browsers but this CSP violation happens almost once a day so we have concerns about potential loss of events.
Best answer by eddie.gaonaView original
Thanks for reaching out about this issue
@john.innocaption. I’ll make sure we send this to the team for further reviews.
@john.innocaption hope you are doing well!
I checked with our engineering team regarding this issue and they advised if you could trying the following:
connect-src ‘report-sample’ ‘self’ https://api2.amplitude.com *
Is this something that you can try on your end, please?
Sure we can try that.
We are still seeing it:
@john.innocaption thank you for the information!
A couple of items that you can try:
Nothing on the server, and on browsers I can see the CSP header just fine.
At this point, I think it may possibly be some sort of anti-tracking plugin that a user is using since it’s only the amplitude domain that keeps triggering this.