if the url (generated by me on ngrok and listening to it) supplied in the blocked-uri parameter of another csp report submitted to a sentry server, is getting get requests from cache.google.com and other cache servers like atmc and ncren not the sentry server itself. Is it a normal thing or some vulnerability since the url data shouldn’t be out there. What’s the reason behind it?
What i do: with burp suite replace the blocked-uri parameter of a csp-report to be submitted to sentry of a web-app with my ngrok generated url which i am listening on.
What i expect: the report should be submitted to the sentry of that web-app and it should be saved for later error analysis by the web-app security engineers.
What is happening: the url is getting get requests not from web-app’s servers but from cache.google.com and few times from cache servers of ncren and atmc.
The SSRF thing: it would surely be ssrf if the web-app’s sentry server would send get request to scrape the url i supplied but if Google, atmc, ncren cache servers are doing get requests to the url, then why is that happening and is it some kind of ssrf?