Issue 651879 link

Starred by 1 user

Issue metadata

Status:	Started
Owner:	█ mkwst@chromium.org Buried. Ping if important.
Components:	Blink>SecurityFeature
EstimatedDays:	----
NextAction:	----
OS:	Windows
Pri:	2
Type:	Bug
Via-Wizard Arch-x86_64 Hotlist-Interop

CSP: Chrome throws a SecurityError when creating a new EventSource to a blocked URL

Reported by t.dinklo...@gmail.com, Sep 30 2016

Issue description

UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36

Steps to reproduce the problem:
Test CSP capabilities by trying to set an EventSource to a blocked URL.

What is the expected behavior?
Quietly fail, no thrown error.

What went wrong?
Chrome is throwing an error while Firefox just quietly fails.

Did this work before? N/A 

Chrome version: 53.0.2785.116  Channel: canary
OS Version: 10.0
Flash Version: Shockwave Flash 23.0 r0

Refer to https://github.com/w3c/webappsec-csp/issues/120 From mikewest: Indeed. We originally were throwing in XHR, EventSource, etc. @annevk convinced me to change it a million years ago, as it aligns the behavior between redirect blockage and non-redirect blockage, and simplifies the interface to Fetch. I thought we updated Chrome, but it's entirely possible that we didn't.
In other words, this sounds like a Chrome bug and not a spec bug. If you file a bug against Chrome, I'll get it fixed.

Comment 1 by kenrb@chromium.org, Sep 30 2016

Components: Blink>SecurityFeature
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Owner: mkwst@chromium.org
Status: Assigned (was: Unconfirmed)

Comment 2 by mkwst@chromium.org, Oct 27 2016

Labels: Hotlist-Interop
Status: Started (was: Assigned)

Working on this in https://codereview.chromium.org/2456013002.

Project Member

Comment 3 by bugdroid1@chromium.org, Mar 21 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8a4e051abc8f7a36687b5f45a214e9489b6a66b7

commit 8a4e051abc8f7a36687b5f45a214e9489b6a66b7
Author: mkwst <mkwst@chromium.org>
Date: Tue Mar 21 12:57:27 2017

CSP: 'connect-src' should not cause exceptions.

We changed the spec quite some time ago to deal with 'connect-src'
violations in Fetch rather than in each API individually. This means
that we should stop throwing exceptions in 'XHR::open', 'EventSource',
'WebSocket', and 'sendBeacon'.

Closes w3c/webappsec-csp#120.

BUG=651879,694525
R=tyoshino@chromium.org,foolip@chromium.org

Review-Url: https://codereview.chromium.org/2456013002
Cr-Commit-Position: refs/heads/master@{#458384}

[modify] https://crrev.com/8a4e051abc8f7a36687b5f45a214e9489b6a66b7/third_party/WebKit/LayoutTests/TestExpectations
[add] https://crrev.com/8a4e051abc8f7a36687b5f45a214e9489b6a66b7/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/connect-src/connect-src-beacon-blocked.sub.html
[add] https://crrev.com/8a4e051abc8f7a36687b5f45a214e9489b6a66b7/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/connect-src/connect-src-eventsource-blocked.sub.html
[add] https://crrev.com/8a4e051abc8f7a36687b5f45a214e9489b6a66b7/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/connect-src/connect-src-websocket-blocked.sub.html
[add] https://crrev.com/8a4e051abc8f7a36687b5f45a214e9489b6a66b7/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/connect-src/connect-src-xmlhttprequest-blocked.sub.html
[modify] https://crrev.com/8a4e051abc8f7a36687b5f45a214e9489b6a66b7/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/inside-worker/dedicated-inheritance.html
[modify] https://crrev.com/8a4e051abc8f7a36687b5f45a214e9489b6a66b7/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/inside-worker/support/connect-src-allow.sub.js
[modify] https://crrev.com/8a4e051abc8f7a36687b5f45a214e9489b6a66b7/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/inside-worker/support/connect-src-self.sub.js
[modify] https://crrev.com/8a4e051abc8f7a36687b5f45a214e9489b6a66b7/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/support/testharness-helper.js
[modify] https://crrev.com/8a4e051abc8f7a36687b5f45a214e9489b6a66b7/third_party/WebKit/LayoutTests/fast/eventsource/eventsource-constructor-expected.txt
[modify] https://crrev.com/8a4e051abc8f7a36687b5f45a214e9489b6a66b7/third_party/WebKit/LayoutTests/fast/eventsource/eventsource-constructor.html
[modify] https://crrev.com/8a4e051abc8f7a36687b5f45a214e9489b6a66b7/third_party/WebKit/LayoutTests/fast/xmlhttprequest/xmlhttprequest-open-exceptions-expected.txt
[modify] https://crrev.com/8a4e051abc8f7a36687b5f45a214e9489b6a66b7/third_party/WebKit/LayoutTests/fast/xmlhttprequest/xmlhttprequest-open-exceptions.html
[delete] https://crrev.com/e7744503e5d45e5404373b447e1499c981174eb9/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-beacon-blocked-expected.txt
[delete] https://crrev.com/e7744503e5d45e5404373b447e1499c981174eb9/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-beacon-blocked.html
[delete] https://crrev.com/e7744503e5d45e5404373b447e1499c981174eb9/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked-expected.txt
[delete] https://crrev.com/e7744503e5d45e5404373b447e1499c981174eb9/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked.html
[delete] https://crrev.com/e7744503e5d45e5404373b447e1499c981174eb9/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-redirect-to-blocked-expected.txt
[delete] https://crrev.com/e7744503e5d45e5404373b447e1499c981174eb9/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-redirect-to-blocked.html
[delete] https://crrev.com/e7744503e5d45e5404373b447e1499c981174eb9/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked-expected.txt
[delete] https://crrev.com/e7744503e5d45e5404373b447e1499c981174eb9/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked.html
[delete] https://crrev.com/e7744503e5d45e5404373b447e1499c981174eb9/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked-expected.txt
[delete] https://crrev.com/e7744503e5d45e5404373b447e1499c981174eb9/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked.html
[delete] https://crrev.com/e7744503e5d45e5404373b447e1499c981174eb9/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-redirect-to-blocked-expected.txt
[delete] https://crrev.com/e7744503e5d45e5404373b447e1499c981174eb9/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-redirect-to-blocked.html
[delete] https://crrev.com/e7744503e5d45e5404373b447e1499c981174eb9/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/shared-worker-connect-src-allowed-expected.txt
[delete] https://crrev.com/e7744503e5d45e5404373b447e1499c981174eb9/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/shared-worker-connect-src-allowed.html
[delete] https://crrev.com/e7744503e5d45e5404373b447e1499c981174eb9/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/shared-worker-connect-src-blocked-expected.txt
[delete] https://crrev.com/e7744503e5d45e5404373b447e1499c981174eb9/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/shared-worker-connect-src-blocked.html
[modify] https://crrev.com/8a4e051abc8f7a36687b5f45a214e9489b6a66b7/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-malformed-meta-expected.txt
[modify] https://crrev.com/8a4e051abc8f7a36687b5f45a214e9489b6a66b7/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-malformed-meta.html
[modify] https://crrev.com/8a4e051abc8f7a36687b5f45a214e9489b6a66b7/third_party/WebKit/Source/core/loader/PingLoader.cpp
[modify] https://crrev.com/8a4e051abc8f7a36687b5f45a214e9489b6a66b7/third_party/WebKit/Source/core/xmlhttprequest/XMLHttpRequest.cpp
[modify] https://crrev.com/8a4e051abc8f7a36687b5f45a214e9489b6a66b7/third_party/WebKit/Source/modules/beacon/NavigatorBeacon.cpp
[modify] https://crrev.com/8a4e051abc8f7a36687b5f45a214e9489b6a66b7/third_party/WebKit/Source/modules/eventsource/EventSource.cpp
[modify] https://crrev.com/8a4e051abc8f7a36687b5f45a214e9489b6a66b7/third_party/WebKit/Source/modules/websockets/DOMWebSocket.cpp

Comment 4 by est...@chromium.org, Nov 10 2017

Labels: Hotlist-EnamelAndFriendsFixIt

Comment 5 by est...@chromium.org, Feb 18 2018

Labels: -Hotlist-EnamelAndFriendsFixIt

►

Issue 651879 link

Issue metadata

CSP: Chrome throws a SecurityError when creating a new EventSource to a blocked URL

Issue description

Comment 1 by kenrb@chromium.org, Sep 30 2016

Comment 1 Deleted

Comment 2 by mkwst@chromium.org, Oct 27 2016

Comment 2 Deleted

Comment 3 by bugdroid1@chromium.org, Mar 21 2017

Comment 3 Deleted

Comment 4 by est...@chromium.org, Nov 10 2017

Comment 4 Deleted

Comment 5 by est...@chromium.org, Feb 18 2018

Comment 5 Deleted

Sign in to add a comment