New issue
Advanced search Search tips

Issue 650154 link

Starred by 4 users

Issue metadata

Status: Duplicate
Merged: issue 648508
Owner: ----
Closed: Sep 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: 2
Type: Bug



Sign in to add a comment

Wilcard not handled in Content-Security-Policy

Reported by prymas.s...@gmail.com, Sep 26 2016

Issue description

Webview has stopped to handle wildcard in Content-Security-Policy for 'script-src' attribute.
It leads to scripts not being loaded from any domain (also from file:// which is used in cordova apps)
Applying CSP with every single domain (instead of wildcard) used by app resolves this problem.

Device name: Motorola Moto G3 (as well as every device with Webview beta)
Android version: 6.0.1
WebView version (from system settings -> Apps -> Android System WebView): 54.0.2840.34
Application: Fitatu
Application version: 2.3.4

URLs (if applicable):

Steps to reproduce:
(1) Install app
(2) Run app
(3) Blank screen will appear, app won't start

Expected result:
App will start properly.
System should handle wildcard in Content-Security-Policy

Actual result:
Blank screen appears, scripts cannot be loaded.
 

Comment 1 by torne@chromium.org, Sep 26 2016

Issue 650252 has been merged into this issue.

Comment 2 by torne@chromium.org, Sep 26 2016

This looks like it's related to  issue 648508 .

Comment 3 by torne@chromium.org, Sep 26 2016

As discussed in  issue 648508  there is indeed an issue that causes * to not include file: URLs in cases where it should. However, you mention loading from other domains too, which doesn't seem like it should happen because of that bug.

Can you give an example of a request being blocked by CSP when it should be allowed by the wildcard that doesn't involve file: so we can see if there's another issue?
I had some problems with loading from other domains but cannot reproduce it despite many trials, I suppose it wasn't related to CSP issue.
So the only problem i can confirm it's problem with wildcard not handling file:

Comment 5 by torne@chromium.org, Sep 27 2016

Mergedinto: 648508
Status: Duplicate (was: Unconfirmed)
Thanks for checking; if you do find another problem please let us know and we'll look at it, but for now I'm duping this against the other issue (which has been fixed in trunk and should be corrected in the next beta so you can test).

Sign in to add a comment