New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 638148 link

Starred by 2 users
Status: Assigned
Owner:
andypaicu@chromium.org
Last visit > 30 days ago
Cc:
mkwst@chromium.org
andypaicu@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 3
Type: Feature



Sign in to add a comment

CSP violation messages should report the source of the violated CSP

Reported by benbe1...@googlemail.com, Aug 16 2016 
Chrome Version       : Chromium	52.0.2743.116 (Developer-Build) (64-Bit)
based on feb0ea45a0164eef52aa2631dd95d7c85fa65faa
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
URLs (if applicable) :
Other browsers tested:
IE 11.0.9600.18426: OK
Palemoon 26.3.3 (x64): OK

What steps will reproduce the problem?
1. Setup a domain localdev.somedomain.de via Hosts file to resolve to 127.0.0.1 (domain does not exist in DNS).
2. Provide attached files via HTTP at http://localdev.somedomain.de/chrome.*
2a Local test server may return "Content-Security-Policy: default-src 'self';" header
3. Visit http://localdev.somedomain.de/chrome.html

What is the expected result?
- Browser loads CSS
- Browser loads JS
- Browser displays alert box (as given in the JS)

What happens instead of that?
- Browser loads CSS
- Browser rejects JS due to CSP violation:
chrome.html:1 Refused to load the script 'http://localdev.somedomain.tld/chrome.js' because it violates the following Content Security Policy directive: "script-src 'none'".

Please provide any additional information below. Attach a screenshot if
possible.

The following variations have been tested:
- Including/skipping the META tag for the CSP header in the HTML file -> no effect
- Including/skipping the CSP header in the web server serving the sample files.

The following has not been tested:
- Delivery via HTTPS

Full Build Command as provided in about:version

Blink	537.36 (@9115ecad1cae66fd5fe52bd9120af643384fd6f3)
JavaScript	V8 5.2.361.49
Flash	(Deaktiviert)
User-Agent	Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Command Line	"C:\Users\MYUSERNAME\AppData\Local\Chromium\Application\chrome.exe" --flag-switches-begin --enable-appcontainer --disable-offer-upload-credit-cards --enable-devtools-experiments --enable-embedded-extension-options --enable-experimental-web-platform-features --enable-grouped-history --javascript-harmony --disable-offer-store-unmasked-wallet-cards --enable-offline-auto-reload-visible-only --enable-offline-auto-reload --disable-password-generation --enable-quic --site-per-process --enable-spelling-feedback-field-trial --enable-unsafe-es3-apis --enable-wasm --enable-webfonts-intervention-trigger --enable-webgl-draft-extensions --enable-webrtc-dtls12 --enable-experimental-extension-apis --reduced-referrer-granularity --enable-features=OptimizeLoadingIPCForSmallResources,StaleWhileRevalidate2,V8Ignition,WebFontsInterventionV2,WebRTC-H264WithOpenH264FFmpeg,WebUSB,brotli-encoding,token-binding --disable-features=SafeSearchUrlReporting,affiliation-based-matching,enable-automatic-password-saving,enable-manual-password-generation,enable-password-force-saving,protect-sync-credential,protect-sync-credential-on-reauth --flag-switches-end

Also see attached screenshots.
chrome.html
557 bytes View Download
chrome.css
243 bytes View Download
chrome.js
12 bytes View Download
server-headers-redacted.png
152 KB View Download
chrome-message-redacted.png
73.6 KB View Download

Comment 1 by est...@chromium.org, Aug 16 2016

Cc: mkwst@chromium.org
Components: Blink>SecurityFeature
Hmm, I can't reproduce on stable or canary. The only thing I can think of is maybe some extension is injecting a restrictive CSP into the page? Are you able to reproduce with a fresh profile? Instructions here: https://www.chromium.org/developers/creating-and-using-profiles

Comment 2 by benbe1...@googlemail.com, Aug 16 2016 

Thanks for that pointer: Based on that I could pin down the issue to one extension (ScriptSafe in my case), where the page wasn't yet whitelisted.

Hinting of the origin of the CSP (Server vs. DOM vs. Extension vs. Policy) might have aided to avoided that confusion. Praise to clear error messages. ;-)

Comment 3 by est...@chromium.org, Aug 16 2016

Labels: -OS-Windows -Type-Bug OS-All Type-Feature
Status: Available (was: Unconfirmed)
Summary: CSP violation messages should report the source of the violated CSP (was: Loading JS from resolves-to-localhost domain blocked by CSP)
Yep, the error message could probably be better. Though, off the top of my head, I'm not sure whether or not it would be feasible to track who inserted a given CSP on the page.
Project Member

Comment 4 by sheriffbot@chromium.org, Aug 16 2017

Labels: Hotlist-Recharge-Cold
Status: Untriaged (was: Available)
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue.

Sorry for the inconvenience if the bug really should have been left as Available. If you change it back, also remove the "Hotlist-Recharge-Cold" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 5 by jochen@chromium.org, Oct 5 2017

Cc: andypaicu@chromium.org
Components: -Blink>SecurityFeature Blink>SecurityFeature>ContentSecurityPolicy
Owner: andypaicu@chromium.org
Status: Assigned (was: Untriaged)

Comment 6 by est...@chromium.org, Nov 10 2017

Labels: Hotlist-EnamelAndFriendsFixIt

Comment 7 by est...@chromium.org, Feb 18 2018

Labels: -Hotlist-EnamelAndFriendsFixIt

Sign in to add a comment