New issue
Advanced search Search tips

Issue 725805 link

Starred by 1 user
Status: Duplicate
Merged: issue gerrit:5828
Owner: ----
Closed: Jun 2017
Cc:
rmis...@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

CSP violations on gerrit

Project Member Reported by jochen@chromium.org, May 24 2017 
there are several violations reported like this:

gr-app.js:1550 [Report Only] Refused to load the script 'https://chromium-review.googlesource.com/plugins/buildbucket/static/cr-buildbucket-view.html' because it violates the following Content Security Policy directive: "script-src 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http:". 'strict-dynamic' is present, so host-based whitelisting is disabled.

importHref @ gr-app.js:1550
chromium-review.googlesource.com/:1 [Report Only] Refused to load the script 'https://chromium-review.googlesource.com/plugins/buildbucket/static/cr-buildbucket-client.html' because it violates the following Content Security Policy directive: "script-src 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http:". 'strict-dynamic' is present, so host-based whitelisting is disabled.

chromium-review.googlesource.com/:1 [Report Only] Refused to load the script 'https://chromium-review.googlesource.com/plugins/buildbucket/static/cr-tryjob-picker.html' because it violates the following Content Security Policy directive: "script-src 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http:". 'strict-dynamic' is present, so host-based whitelisting is disabled.

chromium-review.googlesource.com/:1 [Report Only] Refused to load the script 'https://chromium-review.googlesource.com/plugins/buildbucket/static/cr-buildbucket-view.js' because it violates the following Content Security Policy directive: "script-src 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http:". 'strict-dynamic' is present, so host-based whitelisting is disabled.

chromium-review.googlesource.com/:1 [Report Only] Refused to load the script 'https://apis.google.com/js/platform.js' because it violates the following Content Security Policy directive: "script-src 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http:". 'strict-dynamic' is present, so host-based whitelisting is disabled.

chromium-review.googlesource.com/:1 [Report Only] Refused to load the script 'https://chromium-review.googlesource.com/plugins/buildbucket/static/cr-tryjob-picker.js' because it violates the following Content Security Policy directive: "script-src 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http:". 'strict-dynamic' is present, so host-based whitelisting is disabled.

chromium-review.googlesource.com/:1 [Report Only] Refused to load the script 'https://chromium-review.googlesource.com/plugins/buildbucket/static/cr-buildbucket-client.js' because it violates the following Content Security Policy directive: "script-src 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http:". 'strict-dynamic' is present, so host-based whitelisting is disabled.

Comment 1 by jochen@chromium.org, May 24 2017 

it also complains about document.write:

Failed to execute 'write' on 'Document': It isn't possible to write into a document from an asynchronously-loaded external script unless it is explicitly opened.
goog.writeScriptSrcNode_ @ gr-app.js:112

Comment 2 by lgrey@chromium.org, May 24 2017

Labels: -OS-Mac

Comment 3 by aga...@chromium.org, Jun 2 2017

Mergedinto: gerrit:5828
Status: Duplicate (was: Unconfirmed)
Yes, these are known. Gerrit is running CSP in advisory mode, and hopes to turn on enforcement soon.

Sign in to add a comment