New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 603260 link

Starred by 7 users
Status: Duplicate
Merged: issue 571234
Owner:
jww@chromium.org
Last visit > 30 days ago
Closed: Sep 2016
Cc:
mkwst@chromium.org
est...@chromium.org
rnimmagadda@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 2
Type: Bug



Sign in to add a comment

CSP style attribute failure error message incorrectly suggests adding a hash value

Reported by scott.he...@gmail.com, Apr 13 2016 
Chrome Version       : 49.0.2623.112
OS Version: 10.0
URLs (if applicable) : https://scotthelme.co.uk/csp-hash-source-test/
Other browsers tested: none

What steps will reproduce the problem?
1. Visit the above URL.
2. The browser blocks an inline style and suggests a hash that matches a hash in the served CSP header.

What is the expected result?
The inline style should be whitelisted.

What happens instead of that?
The inline style is blocked.

UserAgentString: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36

Comment 1 by scott.he...@gmail.com, Apr 13 2016 

Here is a screenshot of the error.
chrome-hash-bug.png
126 KB View Download

Comment 2 by scott.he...@gmail.com, Apr 13 2016 

The same also happens in report-only policies: https://scotthelme.co.uk/cspro-hash-source-test/

Comment 3 by manoranj...@chromium.org, Apr 13 2016

Labels: Needs-Bisect

Comment 4 by aidantwo...@gmail.com, Apr 13 2016 

Issue also present on Chrome 49.0.2623.112 for OSX 10.11.4
Screen Shot 2016-04-13 at 21.54.47.png
558 KB View Download

Comment 5 by dtapu...@chromium.org, Apr 14 2016

Components: Blink>SecurityFeature

Comment 6 by rnimmagadda@chromium.org, Apr 14 2016

Cc: rnimmagadda@chromium.org
Labels: -Pri-3 -Needs-Bisect M-50 OS-Linux OS-Mac Pri-2
Status: Untriaged (was: Unconfirmed)
Able to repro this issue on Windows 7, MAC (10.11.4) & Ubuntu Trusty (14.04) for Google Chrome Stable Version - 50.0.2661.75

This is a Non-Regression issue existing since M30 - # 30.0.1549.0

Screen-recording is attached.
603260.mov
10.6 MB Download

Comment 7 by scott.he...@gmail.com, Sep 9 2016 

I've just stumbled across this bug again and almost raised a new bug as I'd forgotten about this one!

Confirmed still happening on Version 53.0.2785.101 m.
hash.jpg
73.0 KB View Download

Comment 8 by jww@chromium.org, Sep 9 2016

Cc: est...@chromium.org mkwst@chromium.org
Owner: jww@chromium.org
Status: Assigned (was: Untriaged)
Sorry that this never made it onto our plate. I'm looking into it now.

Comment 9 by jww@chromium.org, Sep 9 2016

Summary: CSP style attribute failure error message incorrectly suggests adding a hash value (was: CSP hash-source not working for style-src)
As pointed out on Twitter, this is because the script is a style attribute, and not actually a style tag. Thus, the blocking is WAI, but indeed the error message is terrible. We should probably adjust the error message for style attributes, since a hash isn't going to help you.

Comment 11 by jww@chromium.org, Sep 12 2016

Mergedinto: 571234
Status: Duplicate (was: Assigned)
At this point, issue 546106 is tracking unsafe-hashed-attributes, so I don't think this is really a dupe of that. However, issue 571234 does seem to be tracking the bad messaging, so I'm going to dupe this to that.

Sign in to add a comment