CSP error is breaking the New Tab Page for non-US TLDs
Reported by
tldr@fernandomiguel.net,
Feb 17 2018
|
|||||||
Issue descriptionChrome Version : 65.0.3325.73 OS Version: OS X 10.13.4 URLs (if applicable) : What steps will reproduce the problem? 1. open chrome://newtab What is the expected result? for the page to load with the proper google image What happens instead of that? images get blocked Please provide any additional information below. Attach a screenshot if possible. `Refused to frame 'https://www.google.co.uk/' because it violates the following Content Security Policy directive: "child-src chrome-search://most-visited/ https://*.google.com/". Note that 'frame-src' was not explicitly set, so 'child-src' is used as a fallback.` Google Chrome 65.0.3325.73 (Official Build) beta (64-bit) Revision a20ac61a553221683d2f152384ea3a3d80e4c1e9-refs/branch-heads/3325@{#457} OS Mac OS X JavaScript V8 6.5.254.21 Flash 28.0.0.161 /Users/fernando/Library/Application Support/Google/Chrome/PepperFlash/28.0.0.161/PepperFlashPlayer.plugin User Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.73 Safari/537.36 UserAgentString: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.73 Safari/537.36
,
Feb 17 2018
Maybe related to 807604. sfiera, is the local NTP on at some % of Beta?
,
Feb 17 2018
,
Feb 19 2018
Yes, the local NTP is on 50% of Beta. It looks like we were trying to load an interactive Doodle there. That's supposed to be disabled, maybe something's wrong with the configs. I'll take a look.
,
Feb 19 2018
I can't find anything wrong with the Finch configs. tldr@fernandomiguel.net, did you change any flags on chrome://flags? In particular, manually enabling chrome://flags/#doodles-on-local-ntp would have this effect. re #2, this is not quite bug 807604 , it fails even earlier :) The problem is that /ddljson (the Doodles API) returns an iframe URL with a country TLD. It should return either a relative URL or an absolute URL pointing to google.com. So the bug is on the server side, but we (Chrome) should still handle this better. I've filed bug 813513 for that.
,
Feb 19 2018
indeed chrome://flags/#doodles-on-local-ntp is enabled Command Line /Applications/Google Chrome.app/Contents/MacOS/Google Chrome --flag-switches-begin --autoplay-policy=document-user-activation-required --enable-device-discovery-notifications --enable-audio-focus --enable-offer-upload-credit-cards --enable-devtools-experiments --enable-embedded-extension-options --enable-fast-unload --enable-fullscreen-tab-detaching --enable-google-branded-context-menu --history-entry-requires-user-gesture --enable-hosted-app-quit-notification --enabled-new-style-notification --enable-nacl --enable-offline-auto-reload-visible-only --enable-offline-auto-reload --enable-permission-action-reporting --disable-push-api-background-mode --enable-quic --enable-scroll-prediction --site-per-process --enable-site-settings --enable-spelling-feedback-field-trial --enable-tab-audio-muting --enable-use-zoom-for-dsf=true --enable-webrtc-srtp-aes-gcm --enable-webrtc-srtp-encrypted-headers --enable-scripts-require-action --extension-content-verification=enforce_strict --load-media-router-component-extension=1 --reduced-referrer-granularity --show-overdraw-feedback --top-chrome-md=material --enable-features=AnimatedAppMenuIcon,AutofillCreditCardBankNameDisplay,AutofillCreditCardLastUsedDateDisplay,AutofillUpstreamRequestCvcIfMissing,AutomaticTabDiscarding,BackgroundVideoTrackOptimization,BlockTabUnders,BrowserTouchBar,ContentFullscreen,CreditCardAutofillTouchBar,DialogTouchBar,DoodlesOnLocalNtp,EnableHtmlBaseUsernameDetector,ExpensiveBackgroundTimerThrottling,FeaturePolicy,FullscreenToolbarReveal,HttpFormWarning,ImageCaptureAPI,MacMDDownloadShelf,MacSystemShareMenu,MacV2Sandbox,MaterialDesignBookmarks,MediaRemoting,NativeNotifications,NewAudioRenderingMixingStrategy,NewRemotePlaybackPipeline,NoScriptPreviews,NoStatePrefetch,OmniboxDisplayTitleForCurrentUrl,OmniboxSpeculativeServiceWorkerStartOnQueryInput,OmniboxUIExperimentShowSuggestionFavicons,OneGoogleBarOnLocalNtp,OptimizationHints,OriginTrials,OverflowIconsForMediaControls,ParallelDownloading,PermissionsBlacklist,SafeSearchUrlReporting,ScrollAnchoring,ServiceWorkerPaymentApps,SoundContentSetting,SpeculativePreconnect,SpeculativeResourcePrefetching,TabStripKeyboardFocus,TabsInCBD,TopSitesFromSiteEngagement,UseGoogleLocalNtp,UseModernMediaControls,UseNewAcceptLanguageHeader,VibrateRequiresUserGesture,WebPayments,WebPaymentsModifiers,WebRTC-H264WithOpenH264FFmpeg,brotli-encoding,fill-on-account-select,stop-in-background,top-document-isolation --flag-switches-end
,
Feb 19 2018
Thanks! That explains it then. Closing as WontFix, since there's nothing for us to do. Note the red warning on top of chrome://flags/: These flags often trigger features which are still in development, and just don't fully work yet, like in this case. So play with them at your own risk ;)
,
Feb 19 2018
alright. reverting that to default
,
Jul 27
|
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by f...@chromium.org
, Feb 17 2018Labels: -Pri-3 ReleaseBlock-Stable Pri-0
Status: Available (was: Unconfirmed)
Summary: CSP error is breaking the New Tab Page for non-US TLDs (was: Refused to frame 'https://www.google.co.uk/' because it violates the following Content Security Policy directive)