securitysafarievernotebrowser-plugincontent-security-policy

Evernote Web Clipper and Content Security Policy


We're currently introducing the Content Security Policy to a website. Started by inserting the Content-Security-Policy-Report-Only header to get some feedback about the impact. Soon we found out that the Evernote Web Clipper plugin in the Safari browser violates the CSP directives as it seems to inject some code into the page.

We get this in the CSP report:

{"csp-report":
    {
        "document-uri":"http://example.com/index.html",
        "violated-directive":"default-src 'self'",
        "original-policy":"default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; report-uri http://example.com/report.html",
        "blocked-uri":"safari-extension://com.evernote.safari.clipper-uahs7eh2ja",
        "source-file":"http://example.com/js/jquery.js",
        "line-number":2
    }
}

How do we need to modify the CSP header so that the Evernote Web Clipper plugin is not blocked? The blocked-uri seems to contain a user-specific id at the end which makes it pretty difficult.


Solution

  • You're right, the last bit of the blocked uri does vary across computers, and you can't use a wildcard to whitelist it. The only way to unblock the Web Clipper is to unblock all Safari extensions by putting safari-extension://* in default-src, so your policy would look like

    default-src 'self' safari-extension://*; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; report-uri http://example.com/report.html