New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 822746 link

Starred by 1 user
Status: Assigned
Owner:
andypaicu@chromium.org
Last visit > 30 days ago
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

CSP: Chromum's own inline style is being blocked and reported when opening images

Reported by djsty...@gmail.com, Mar 16 2018 
UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.162 Safari/537.36

Steps to reproduce the problem:
1. Go to an url containing only an image like https://example.com/image.png 
2. Server sends CSP header including "style-src", blocking all inline styles (or all execpt certain styles with hashes or nonces) 

What is the expected behavior?
Image should be shown, nothing else

What went wrong?
Chromium tries to insert some style, probably to center the image. Since inline styles violate the content security policy this is blocked and I get three times (why 3 times?) the same error message:

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' data: https: 'nonce-c3R5eHh4Cg=='". Either the 'unsafe-inline' keyword, a hash ('sha256-VPZ2mdsWWlqXOFgt1tAllbbJhG8t9bh6emP1o9GwJxY='), or a nonce ('nonce-...') is required to enable inline execution.

The bad thing is that the error is also reported to the specified report-uri.

Possible solutions:
- Chromium's own styles (really onle the ones shipped with chromium, not those of addons) could not be affected by CSP headers, or
- no report could be filed for violations due to chromium's own inline styles, or
- a nonce could be set and published so developers can add it to the csp rules (but then every bad guy could just use the nonce)
- the hash of this inline-style could be published,
- the csp specifications could be extended with a rule specifically tageting such styles or scripts,
- chromium could stop trying to insert styles when a certain header is received and only do it if the csp header allows it.

Did this work before? N/A 

Does this work in other browsers? N/A

Chrome version: 65.0.3325.162  Channel: stable
OS Version: 4.14.0-3-amd64 #1 SMP Debian 4.14.17-1 
Flash Version: 

No addons were running. This also happens in incognito mode. I'm aware that this is a logical consequence when using strict CSP headers and some browsers trying to beautify shown images with css ;)
screenshot310.png
33.9 KB View Download

Comment 1 by krajshree@chromium.org, Mar 19 2018

Labels: Needs-Triage-M65

Comment 2 by vogelheim@chromium.org, Mar 20 2018

Owner: andypaicu@chromium.org
Status: Assigned (was: Unconfirmed)
Andy, could you have a look?

Sign in to add a comment