We have a web service which has pretty strict CSP header that blocks eval among other things. We get many CSP violation reports that include following info:
{
"csp-report": {
"blocked-uri": "eval",
"column-number": 61,
"document-uri": "https://example.com/path/to/something",
"line-number": 56,
"original-policy": "default-src 'self'; connect-src 'self' https://www.google-analytics.com; script-src 'self' 'report-sample' https://www.google-analytics.com; sandbox allow-downloads allow-popups allow-scripts allow-same-origin allow-top-navigation allow-forms allow-modals allow-popups-to-escape-sandbox allow-presentation; img-src * data:; style-src * 'unsafe-inline'; font-src * data: about:; media-src *; frame-src * data:; report-uri https://example.com/:reportcspviolation",
"referrer": "",
"script-sample": "var KERNEL = $2C6A44CB_AD42_4731_A544_3F…",
"source-file": "blob:https://example.com/b402b32e-ebf5-4103-b8e8-4cd3c1f56e2a",
"violated-directive": "script-src"
}
}
and the document at document-uri doesn't have any inline JavaScript. And the whole service source code does not contain uppercase letters KERNEL so it cannot be emitted by our service. The document at document-uri also doesn't use any <iframe> elements so the error cannot be caused by any nested document either.
All reports seem to include exactly same letters var KERNEL = $2C6A44CB_AD42_4731_A544_3F (with Firefox adding ellipsis and Chrome ends the sample as-is).
I've seen similar CSP reports from following UA strings (in order of how often this happens):
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.104 Safari/537.36Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0so it seems clear that this is not about browser compatibility. I cannot reproduce the errors by using any of the browsers and loading the address pointed by document-uri.
At least 95% of all reported errors with var KERNEL = have been emitted by Firefox 85.0.
Why is the source-file in blob: scheme? Is this some well-known hack to run JavaScript code by some browser extension?
My best guess is that this is caused by some badly made browser extension but is there any way to figure the actual cause?
All reports seem to include exactly same letters var KERNEL = $2C6A44CB_AD42_4731_A544_3F
Such the signature belongs to the malicious browser plugin and affiliated virus.
Why is the source-file in blob: scheme? Is this some well-known hack to run JavaScript code by some browser extension?
I do not know is this a well-known hack, but some weird thing is observed in browsers behaviour.
Your CSP does not allow blob: therefore blob:https://example.com/b402b32e-ebf5-4103-b8e8-4cd3c1f56e2a must be blocked and we should observe "blocked-uri": "blob". But we see "blocked-uri": "eval", this means blob:https://example.com/b402b32e-ebf5-4103-b8e8-4cd3c1f56e2a is executed, and eval in its line 56 is blocked.
Note: The script of browser plugin above uses eval() func calls and it uses blob:-URL in the code.
Yes, these should be blocked by your CSP, but blocking eval inside blob is a nonsense for CSP like script-src 'self' 'report-sample' https://www.google-analytics.com.