Solved

Constantly getting connect-src api2.amplitude.com violated-directive

  • 20 March 2023
  • 6 replies
  • 328 views

Badge

Our web server constantly gets CSP reports of violations even though we have added the domain as well as even a wildcard to just allow all for api2.amplitude.com.

{
   "csp-report":{
      "document-uri":"<redacted>",
      "referrer":"<redacted>",
      "violated-directive":"connect-src",
      "effective-directive":"connect-src",
      "original-policy":"base-uri 'self';object-src 'none'; report-uri /csp-report; img-src 'self' data: *;style-src 'unsafe-eval' 'unsafe-inline' 'self' *; font-src 'unsafe-eval' 'unsafe-inline' 'self' data: *; connect-src 'report-sample' 'self' api2.amplitude.com *; media-src 'self' blob: data: *; script-src 'unsafe-eval' 'unsafe-inline' 'report-sample' 'self' cdn.amplitude.com https://maps.googleapis.com https://maps.gstatic.com https://connect.facebook.net; default-src 'unsafe-eval' 'unsafe-inline' 'report-sample' 'self' cdn.amplitude.com;",
      "disposition":"enforce",
      "blocked-uri":"https://api2.amplitude.com/2/httpapi",
      "status-code":200,
      "script-sample":""
   }
}

This keeps saying that we are violating connect-src but our connect-src policy is: connect-src 'report-sample' 'self' api2.amplitude.com *;

We’ve tried with just the wildcard as well but same result.
Currently api2.amplitude.com is the only one trigger the violation.

FYI, we still get events from browsers but this CSP violation happens almost once a day so we have concerns about potential loss of events.

Please help!

icon

Best answer by eddie.gaona 24 March 2023, 17:14

View original

6 replies

Userlevel 6
Badge +9

Thanks for reaching out about this issue @john.innocaption. I’ll make sure we send this to the team for further reviews. 

Userlevel 5
Badge +9

Hello @john.innocaption hope you are doing well!

I checked with our engineering team regarding this issue and they advised if you could trying the following:

connect-src ‘report-sample’ ‘self’ https://api2.amplitude.com * 

Is this something that you can try on your end, please?

Badge

Sure we can try that.

Badge

We are still seeing it:

{
"csp-report":{
"document-uri":"<redacted>",
"referrer":"<redacted>",
"violated-directive":"connect-src",
"effective-directive":"connect-src",
"original-policy":"base-uri 'self';object-src 'none'; report-uri /csp-report; img-src 'self' data: *;style-src 'unsafe-eval' 'unsafe-inline' 'self' *; font-src 'unsafe-eval' 'unsafe-inline' 'self' data: *; connect-src 'report-sample' 'self' https://api2.amplitude.com *; media-src 'self' blob: data: *; script-src 'unsafe-eval' 'unsafe-inline' 'report-sample' 'self' cdn.amplitude.com https://maps.googleapis.com https://maps.gstatic.com https://connect.facebook.net; default-src 'unsafe-eval' 'unsafe-inline' 'report-sample' 'self' cdn.amplitude.com;",
"disposition":"enforce",
"blocked-uri":"https://api2.amplitude.com/2/httpapi",
"status-code":200,
"script-sample":""
}
}

 

Userlevel 5
Badge +9

Hello @john.innocaption thank you for the information!

A couple of items that you can try:

  • Check the server logs to see if there are any errors or warnings related to the CSP policy. This may provide some insights into what is happening and why the policy is not being applied as expected.
  • Double-check that the policy is being sent correctly in the HTTP headers.
Badge

Nothing on the server, and on browsers I can see the CSP header just fine.

At this point, I think it may possibly be some sort of anti-tracking plugin that a user is using since it’s only the amplitude domain that keeps triggering this.

Reply