HTTP CSP header not taking affect in saved websites
Reported by
mmusterm...@gmail.com,
Jan 12 2018
|
||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299 Example URL: Steps to reproduce the problem: This problem can be reproduced with every website cointain the CSP in the HTTP header only. What is the expected behavior? If a webserver sends a http CSP header for an html document, this header should be included to the html if not yet done by the developer. What went wrong? While the online version of a website with e.g. CSP "default 'self'" refuses to load every external resource, a saved website will load these resources without any problems. Did this work before? No Chrome version: 63.0.3239.132 Channel: stable OS Version: 10.0 Flash Version:
,
Jan 12 2018
Google Chrome 61.0.3163.100 (Official Build) (64-bit) Revision 57c9d07b416b5a2ea23d28247300e4af36329bdc-refs/branch-heads/3163@{#1250} OS Linux JavaScript V8 6.1.534.41 Flash 28.0.0.126 /home/wanghui/.config/google-chrome/PepperFlash/28.0.0.126/libpepflashplayer.so User Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36 Command Line /usr/bin/google-chrome-stable --flag-switches-begin --flag-switches-end i can reproduce it too. the csp is from http header, while we load it from cache.
,
Jan 12 2018
,
Jan 16 2018
@Reporter: Could you please provide sample URL/test file to check this issue. This would help in further triaging. Thanks!
,
Jan 18 2018
Try out this page: http://samuell.bplaced.net/csp/. There will be no visible image due to the CSP. But if you save the page, the image appears against the CSP (in this case no CSP is defined at all).
,
Jan 18 2018
Thank you for providing more feedback. Adding requester "sc00335628@techmahindra.com" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 19 2018
Able Able to reproduce this issue on reported version 63.0.3239.132, on latest canary 65.0.3325.0 using link given in comment#4 on Mac 10.13.1,Ubuntu 14.04 and Windows 10. i.e; In http://samuell.bplaced.net/csp/ no image is seen but when saved as HTML and opening it image is seen. This issue is seen from M50. Hence considering this issue as Non-Regression and marking as Untriaged.
,
Jan 22 2018
Hi dimich@ Can you help triage this? It's not clear to me where this belongs because I don't know if the CSP HTTP header is being saved as part of the offline page? If it is saved, then it's a problem with CSP and this issue should go to us but if it's not it probably needs to go to you? Assigning to help with triaging.
,
Jan 22 2018
The CSP header is not being saved as part of the offline page. This header should be added as meta tag to the HTML like the Content-Type Header is addedd properly. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by krajshree@chromium.org
, Jan 12 2018