feat: enable reporting for CSP errors (rollbar#903)

Author: waltjones

examples/csp-errors.html

@@ -0,0 +1,10 @@
+<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <title>Generate CSP error for test automation</title>
+  <script src="https://example.com/v3/"></script>
+</head>
+<body>
+</body>
+</html>

karma.conf.js

@@ -59,6 +59,16 @@ module.exports = function (config) {
       '/examples/': '/base/examples/'
     },
 
+    customHeaders: [
+      // Allow CSP error testing, but leave enough enabled so that karma
+      // can still run correctly.
+      {
+        match: '\\.html',
+        name: 'Content-Security-Policy',
+        value: "default-src 'self' 'unsafe-inline' 'unsafe-eval';"
+      }
+    ],
+
     reporters: ['progress'],
 
     singleRun: true,

src/browser/telemetry.js

@@ -15,7 +15,9 @@ var defaults = {
   log: true,
   dom: true,
   navigation: true,
-  connectivity: true
+  connectivity: true,
+  contentSecurityPolicy: true,
+  errorOnContentSecurityPolicy: false
 };
 
 function replace(obj, name, replacement, replacements, type) {
@@ -89,7 +91,8 @@ function Instrumenter(options, telemeter, rollbar, _window, _document) {
   };
   this.eventRemovers = {
     dom: [],
-    connectivity: []
+    connectivity: [],
+    contentsecuritypolicy: []
   };
 
   this._location = this._window.location;
@@ -117,6 +120,7 @@ Instrumenter.prototype.configure = function(options) {
   }
 };
 
+// eslint-disable-next-line complexity
 Instrumenter.prototype.instrument = function(oldSettings) {
   if (this.autoInstrument.network && !(oldSettings && oldSettings.network)) {
     this.instrumentNetwork();
@@ -147,6 +151,12 @@ Instrumenter.prototype.instrument = function(oldSettings) {
   } else if (!this.autoInstrument.connectivity && oldSettings && oldSettings.connectivity) {
     this.deinstrumentConnectivity();
   }
+
+  if (this.autoInstrument.contentSecurityPolicy && !(oldSettings && oldSettings.contentSecurityPolicy)) {
+    this.instrumentContentSecurityPolicy();
+  } else if (!this.autoInstrument.contentSecurityPolicy && oldSettings && oldSettings.contentSecurityPolicy) {
+    this.deinstrumentContentSecurityPolicy();
+  }
 };
 
 Instrumenter.prototype.deinstrumentNetwork = function() {
@@ -694,6 +704,43 @@ Instrumenter.prototype.instrumentConnectivity = function() {
   }
 };
 
+Instrumenter.prototype.handleCspEvent = function(cspEvent) {
+  var message = 'Security Policy Violation: ' +
+    'blockedURI: ' + cspEvent.blockedURI + ', ' +
+    'violatedDirective: ' + cspEvent.violatedDirective + ', ' +
+    'effectiveDirective: ' + cspEvent.effectiveDirective + ', ';
+
+  if (cspEvent.sourceFile) {
+    message += 'location: ' + cspEvent.sourceFile + ', ' +
+      'line: ' + cspEvent.lineNumber + ', ' +
+      'col: ' + cspEvent.columnNumber + ', ';
+  }
+
+  message += 'originalPolicy: ' + cspEvent.originalPolicy;
+
+  this.telemeter.captureLog(message, 'error');
+  this.handleCspError(message);
+}
+
+Instrumenter.prototype.handleCspError = function(message) {
+  if (this.autoInstrument.errorOnContentSecurityPolicy) {
+    this.rollbar.error(message);
+  }
+}
+
+Instrumenter.prototype.deinstrumentContentSecurityPolicy = function() {
+  if (!('addEventListener' in this._window)) { return; }
+
+  this.removeListeners('contentsecuritypolicy');
+};
+
+Instrumenter.prototype.instrumentContentSecurityPolicy = function() {
+  if (!('addEventListener' in this._window)) { return; }
+
+  var cspHandler = this.handleCspEvent.bind(this);
+  this.addListener('contentsecuritypolicy', this._window, 'securitypolicyviolation', null, cspHandler, false);
+};
+
 Instrumenter.prototype.addListener = function(section, obj, type, altType, handler, capture) {
   if (obj.addEventListener) {
     obj.addEventListener(type, handler, capture);

test/browser.rollbar.test.js

@@ -1137,6 +1137,57 @@ describe('options.autoInstrument', function() {
     );
   }
 
+  describe('options.autoInstrument.contentSecurityPolicy', function() {
+    beforeEach(function (done) {
+      var options = {
+        accessToken: 'POST_CLIENT_ITEM_TOKEN',
+        autoInstrument: {
+          log: false,
+          contentSecurityPolicy: true,
+          errorOnContentSecurityPolicy: true
+        }
+      };
+      window.rollbar = new Rollbar(options);
+      done();
+    });
+
+    afterEach(function () {
+      window.rollbar.configure({ autoInstrument: false, captureUncaught: false });
+    });
+
+    it('should report content security policy errors', function(done) {
+      var queue = rollbar.client.notifier.queue;
+      var queueStub = sinon.stub(queue, '_makeApiRequest');
+
+      // Load the HTML page, so errors can be generated.
+      document.write(window.__html__['examples/csp-errors.html']);
+
+      setTimeout(function() {
+        try {
+          var item = queueStub.getCall(0).args[0];
+          var message = item.body.message.body;
+          var telemetry = item.body.telemetry[0]
+
+          expect(message).to.match(/Security Policy Violation/);
+          expect(message).to.match(/blockedURI: https:\/\/example.com\/v3\//);
+          expect(message).to.match(/violatedDirective: script-src/);
+          expect(message).to.match(/originalPolicy: default-src 'self' 'unsafe-inline' 'unsafe-eval';/);
+
+          expect(telemetry.level).to.eql('error');
+          expect(telemetry.type).to.eql('log');
+          expect(telemetry.body.message).to.match(/Security Policy Violation/);
+          expect(telemetry.body.message).to.match(/blockedURI: https:\/\/example.com\/v3\//);
+          expect(telemetry.body.message).to.match(/violatedDirective: script-src/);
+          expect(telemetry.body.message).to.match(/originalPolicy: default-src 'self' 'unsafe-inline' 'unsafe-eval';/);
+
+          done();
+        } catch (e) {
+          done(e);
+        }
+      }, 100);
+    });
+  });
+
   it('should add telemetry events when console.log is called', function(done) {
     var server = window.server;
     stubResponse(server);