Chrome CSP throws an error but still allows the script to be executed.
Reported by
ku...@whatfix.com,
Feb 17 2017
|
||||
Issue descriptionChrome Version : Version 56.0.2924.87 (64-bit) URLs (if applicable) : Any page with a CSP policy We are trying to make our chrome extension work on Salesforce Lightning platform. The platform has specified a set of CSPs which we were not compliant with. After modifying our extension, it now works on that platform. However, we still see the below console error: ==================================================================== Refused to execute JavaScript URL because it violates the following Content Security Policy directive: "script-src https://whatfix.com https://www.google-analytics.com 'unsafe-eval' 'self' chrome-extension: https://sfdc.azureedge.net *.ap4.visual.force.com https://ssl.gstatic.com/accessibility/". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. ==================================================================== Note that the above issue is thrown at the below line: $doc.body.appendChild(scriptFrame); We are trying to attach an iFrame to the body of the page: <iframe src='javascript:""' id="embed" tabindex="-1" style="position: absolute; width: 0px; height: 0px; border: none; left: -1000px; top: -1000px;"> ... ... </iframe> What is the expected result? No error should be seen in the console. What happens instead? Error is thrown in the console BUT THE IFRAME IS STILL ADDED. In other words, even though the error is thrown, everything works as expected. Workaround: if I change the src attribute of the above frame from src='javascript:""' to src='about:blank' The error is no longer seen in console. Can the team respond if this is an expected warning or a bug? Should the script be actually blocked?
,
Feb 22 2017
Tested in chrome # 56.0.2924.87 and Canary #58.0.3020.0 on Ubuntu 14.04,mac 10.12.3 and win 10.0.Unable to test with provided JS. Steps Followed: 1.Navigate to provided URLs(https://whatfix.com https://www.google-analytics.com) 2.Navigate to dev tools>consol and paste the iframe code. Please find the screen shots for your reference. @ kumar: Could you please let me know if i have missed anything and if possible, provide us with a sample file,OS & test steps of the issue which would help us to triage the issue further. Thanks in Advance.
,
Feb 23 2017
I would not expect the iFrame not to be created and added, I would only expect its script source not to run. Does the script actually run? For me, it does not, even though the iFrame is indeed created and added - data:text/html,<!doctype html><meta http-equiv="Content-Security-Policy" content="script-src https://whatfix.com https://www.google-analytics.com 'unsafe-eval' 'self' chrome-extension: https://sfdc.azureedge.net *.ap4.visual.force.com https://ssl.gstatic.com/accessibility/ 'nonce-a'"><script nonce="a">var frame = document.createElement("iframe");frame.src="javascript:document.write('s');";document.documentElement.appendChild(frame);</script> If you can provide a small test case that shows the problem, that would help.
,
Feb 23 2017
Sure. I will create a small test case and get back to you soon
,
Feb 23 2017
The script execution we're preventing is the frame navigation. That is, you've got a frame, and you've asked the system to navigate to `javascript:''`. Normally, we'd execute that script (which evaluates to the empty string), check whether the result is a string, and then navigate to a synthesized HTML page with that string's value as it's content. See step ~12 of https://html.spec.whatwg.org/#navigate for details. Note that this behavior is nuts, and if I can find any way to drive down https://www.chromestatus.com/metrics/feature/timeline/popularity/215 to sane numbers, I'll totally rip it out. :) --- In any event, for the specific case of `javascript:''`, both the success and failure case ends up navigating to the equivalent of `about:blank`. Please just use that instead. |
||||
►
Sign in to add a comment |
||||
Comment 1 by ranjitkan@chromium.org
, Feb 20 2017