New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 773679 link

Starred by 3 users
Status: Available
Owner: ----
Cc:
dtseng@chromium.org
lwe@google.com
lpalmaro@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Feature
Team-Accessibility



Sign in to add a comment

ChromeVox gets blocked on sites using Content Security Policy

Project Member Reported by a...@google.com, Oct 11 2017 
[See http://b/67672960 for reference]

Copy of the original report:
"""
ChromeVox uses "javascript:" URIs[1] which get blocked by CSP in many Google applications (Gmail, Photos, ...).
Please refactor to use proper Chrome extension APIs like executeScript[2]

[1] window.location.href = 'javascript:cvox.Api.internalEnable();';
https://cs.chromium.org/chromium/src/chrome/browser/resources/chromeos/chromevox/chromevox/injected/api_implementation.js?q=javascript:+file:%5Esrc/chrome/browser/resources/chromeos/chromevox/chromevox/+package:%5Echromium$&l=32

[2] https://developer.chrome.com/extensions/tabs#method-executeScript
"""

Comment 1 by dmazz...@chromium.org, Oct 12 2017 

Is there an *actual bug* - i.e. you observe ChromeVox failing to work on those sites when it works on others?

Or are you just reporting the error log?

My understanding is that all versions of ChromeVox do try to inject a tiny bit of code in the page, mostly for legacy reasons. I do see the CSP warning that that code injection failed, however ChromeVox continues to work. Both the ChromeVox Classic extension, and the built-in ChromeVox on Chrome OS, work fine when CSP blocks that injected code.

As far as I know, Google Docs is the only remaining app that takes advantage of that injected code, and they're planning to move away from it.

I think this is a "WontFix" or a low-priority feature request to suppress the warning.

Comment 2 by a...@google.com, Oct 12 2017

Labels: -Pri-2 Pri-3
It's quite possible that there is no change in behavior -- this bug is based on the data we get from CSP violation reports sent to our reporting endpoint, so it's difficult to say if blocking the script caused any functionality to break.

I'm fine with bumping this down in priority or considering it a FR.

Comment 3 by leberly@chromium.org, Jan 30 2018

Labels: -Type-Bug Type-Feature
Status: Available (was: Untriaged)

Sign in to add a comment