Skip to content

Commit 017d72b

Browse files
authored
fix(csp): suppress localhost/loopback CSP violations from Smart TV browsers (koala73#2603)
Smart TV browsers (Tizen, webOS) inject scripts that call localhost services (e.g., localhost:9009/service/tvinfo). CSP correctly blocks these, but the violation listener was reporting them to Sentry. Matches any port on localhost and 127.0.0.1 over http/https.
1 parent b162b3e commit 017d72b

2 files changed

Lines changed: 16 additions & 0 deletions

File tree

src/main.ts

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -382,6 +382,8 @@ function shouldSuppressCspViolation(
382382
if (blockedURI === 'inline' && directive === 'script-src-elem') return true;
383383
// Null blocked URI from in-app browsers.
384384
if (blockedURI === 'null') return true;
385+
// localhost/loopback — Smart TV browsers (Tizen, webOS) and dev tools inject local service calls.
386+
if (/^https?:\/\/(localhost|127\.0\.0\.1)(:\d+)?\//.test(blockedURI)) return true;
385387
return false;
386388
}
387389
// Detect once whether BOTH the meta tag and HTTP header CSP allow https: in connect-src.

tests/csp-filter.test.mjs

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -140,6 +140,20 @@ describe('CSP violation filter (shouldSuppressCspViolation)', () => {
140140
});
141141
});
142142

143+
describe('localhost/loopback', () => {
144+
it('suppresses http://localhost:9009 (Smart TV tuner service)', () => {
145+
assert.ok(suppress('enforce', 'connect-src', 'http://localhost:9009/service/tvinfo', '', false));
146+
});
147+
148+
it('suppresses http://127.0.0.1:8080', () => {
149+
assert.ok(suppress('enforce', 'connect-src', 'http://127.0.0.1:8080/api', '', false));
150+
});
151+
152+
it('suppresses https://localhost:3000', () => {
153+
assert.ok(suppress('enforce', 'connect-src', 'https://localhost:3000/dev', '', false));
154+
});
155+
});
156+
143157
describe('real violations pass through', () => {
144158
it('reports third-party script-src violation', () => {
145159
assert.ok(!suppress('enforce', 'script-src', 'https://evil.com/crypto-miner.js', '', true));

0 commit comments

Comments
 (0)