This beginning of the week I did an interesting test. CSP report should be blocked when requests lead to a third party website. If a report is sent to an address on a currently open domain, it should not be blocked. This can be verified with this test: https://apps.armin.dev/ping-spotter/# But how can you test whether CSP report with third-party requests is blocked? Using this test: https://canhas.report/csp-report-uri You can see in the image below the behavior of Edge,at this last test, without extensions: https://ibb.co/pBWYhxvf The behavior should be identical with: Edge + uBlock Origin (CSP Report disabled): https://ibb.co/yFWVsByb Edge + AdGuard Adblocker v.5.x: https://ibb.co/rGwgCdw1 Firefox without extensions has a different test behavior than Edge. JS tag attack is not blocked: https://ibb.co/Qx3Pvg9 It would be possible (in an easier way) to enable the CSP-Report block in uBlock Origin. But doing so would also block the (legitimate) CSP-Report test Ping Spotter. A compromise therefore needs to be found. P.S. I chose not to enable the CSP-Report block in uBlock Origin. And let Hard Mode block *.has.report/report by default. Beware that * = changes each time the test is accessed. https://ibb.co/pvvjLngZ
