New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 776822 link

Starred by 1 user

Issue metadata

Status: Duplicate
Owner: ----
Closed: Jan 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 2
Type: Bug


Show other hotlists

Hotlists containing this issue:
EnamelAndFriendsFixIt


Sign in to add a comment

CSP issue with automatic translate

Reported by marco.da...@gmail.com, Oct 20 2017

Issue description

UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36

Steps to reproduce the problem:
1. Go to https://pl.internet.nl/domain/example.nl/106611/
2. The page is auto-translate from Polish to -in my case- Dutch
3. The console shows CSP errors such as:
Refused to load the image 'https://www.gstatic.com/images/branding/product/2x/translate_24dp.png' because it violates the following Content Security Policy directive: "img-src 'self' *.internet.nl data:".

What is the expected behavior?
No CSP errors.
CSP-settings should not affect the translate-feature of Chrome, in my mind. This is confusing to the website-owner that set's the Content-Security-Policy header.

What went wrong?
Unexpected CSP errors with regard to the translation-functionality of Chrome. 

Did this work before? N/A 

Chrome version: 61.0.3163.100  Channel: stable
OS Version: OS X 10.12.6
Flash Version: 

CSP errors do not seem to affect the translation, but they still come unexpected.
 
Schermafbeelding 2017-10-20 om 18.17.49.png
209 KB View Download

Comment 1 by shrike@chromium.org, Oct 20 2017

Components: -UI UI>Browser>Language>Translate
Components: Blink>SecurityFeature
Labels: M-64 Needs-Milestone OS-Linux OS-Windows
Status: Untriaged (was: Unconfirmed)
Able to reproduce this issue on Mac 10.12.6, Win-10 and Ubuntu 14.04 using chrome stable version #62.0.3202.62 and latest canary #64.0.3247.0.
This is a non-regression issue as it is observed from M50 old builds. 
Note: The page did not auto-translate from Polish to english rather it got translated on pressing the "translate" button. Attached a screen cast for reference.

Hence, marking it as untriaged to get more inputs from dev team.

Thanks...!!
776822.webm
3.2 MB View Download

Comment 4 by mkwst@chromium.org, Oct 24 2017

Cc: andypaicu@chromium.org
Status: Available (was: Untriaged)
This is likely a more general issue with scripts running in isolated worlds. I thought we'd done some work to allow direct requests such as those generated by `<img>` tags to bypass the main world's CSP, but I can imagine that Translate is doing something we're not correctly handling.

+Andy.

Comment 5 by est...@chromium.org, Nov 10 2017

Labels: Hotlist-EnamelAndFriendsFixIt
Mergedinto: 686364
Status: Duplicate (was: Available)

Sign in to add a comment