capture basic csp info

Author: metal-messiah

src/features/jserrors/instrument/index.js

@@ -47,6 +47,11 @@ export class Instrument extends InstrumentBase {
       handle('err', [castErrorEvent(errorEvent), now(), false, {}, agentRef.runtime.isRecording], undefined, this.featureName, this.ee)
     }, eventListenerOpts(false, this.removeOnAbort?.signal))
 
+    globalScope.addEventListener('securitypolicyviolation', (violationEvent) => {
+      if (!this.abortHandler) return
+      handle('err', [castErrorEvent(violationEvent), now(), false, { cspViolation: 1 }, agentRef.runtime.isRecording], undefined, this.featureName, this.ee)
+    })
+
     this.abortHandler = this.#abort // we also use this as a flag to denote that the feature is active or on and handling errors
     this.importAggregator(agentRef, () => import(/* webpackChunkName: "jserrors-aggregate" */ '../aggregate'))
   }

src/features/jserrors/shared/cast-error.js

@@ -70,6 +70,12 @@ export function castErrorEvent (errorEvent) {
     error.name = SyntaxError.name
     return error
   }
+  /** SecurityPolicyViolationEvent does not exist in safari workers */
+  if (typeof SecurityPolicyViolationEvent !== 'undefined' && errorEvent instanceof SecurityPolicyViolationEvent) {
+    const error = new UncaughtError(errorEvent.violatedDirective, errorEvent.sourceFile, errorEvent.lineNumber, errorEvent.columnNumber, undefined, `violation of disposition: "${errorEvent.disposition}" of original policy: "${errorEvent.originalPolicy}"`)
+    error.name = 'ContentSecurityPolicyViolation'
+    return error
+  }
   if (canTrustError(errorEvent.error)) return errorEvent.error
   return castError(errorEvent)
 }

src/features/jserrors/shared/uncaught-error.js

@@ -11,12 +11,13 @@ import { stringify } from '../../../common/util/stringify'
  * do not use the Error class (strings, etc) to an object.
  */
 export class UncaughtError {
-  constructor (message, filename, lineno, colno, newrelic) {
+  constructor (message, filename, lineno, colno, newrelic, cause) {
     this.name = 'UncaughtError'
     this.message = typeof message === 'string' ? message : stringify(message)
     this.sourceURL = filename
     this.line = lineno
     this.column = colno
     this.__newrelic = newrelic
+    this.cause = cause
   }
 }

tests/assets/csp-violation.html

@@ -6,15 +6,25 @@
 <html>
   <head>
     <title>RUM Unit Test</title>
-    <meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline'; connect-src *;">
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline'; connect-src *;" />
     {init} {config} {loader}
   </head>
-  <body>Instrumented
+  <body>
+    Instrumented
     <script>
+      document.addEventListener("securitypolicyviolation", function (event) {
+        console.log("CSP Violation:", event);
+
+        // Use event metadata to form a "stack trace"-like string
+        const stackTrace = [`Blocked URI: ${event.blockedURI}`, `Violated Directive: ${event.violatedDirective}`, `Source File: ${event.sourceFile}`, `Line: ${event.lineNumber}`, `Column: ${event.columnNumber}`, `Disposition: ${event.disposition}`].join("\n");
+        console.log("CSP Violation metadata as stack trace:\n" + stackTrace);
+      });
+
       // This script will trigger a CSP violation
-      var script = document.createElement('script');
-      script.src = 'https://example.com';
+      var script = document.createElement("script");
+      script.src = "https://example.com";
       document.body.appendChild(script);
     </script>
+    <script src="./js/csp.js"></script>
   </body>
 </html>

tests/assets/js/csp.js

@@ -0,0 +1,4 @@
+// This script will trigger a CSP violation
+var script = document.createElement('script')
+script.src = 'https://example.com'
+document.body.appendChild(script)