Allowing WSS in CSP recently stopped working
Reported by
bertugko...@gmail.com,
Mar 31 2018
|
||||||||||
Issue description
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36
Steps to reproduce the problem:
1. Since before 2 weeks, it was working with a csp in my manifest file as: "content_security_policy": "script-src 'self' 'unsafe-eval' https://stats.pusher.com; object-src 'self'",
2. Suddenly it stopped working and I started receiving errors:
> WebSocket connection to 'wss://ws-{pusherId}.pusher.com/app/aae7320263d9626a6429?protocol=7&client=js&version=4.1.0&flash=false' failed: Error in connection establishment: net::ERR_NAME_NOT_RESOLVED
> OPTIONS https://sockjs-{pusherId}.pusher.com/pusher/app/aae7320263d9626a6429/412/0du6seh0/xhr_streaming?protocol=7&client=js&version=4.1.0&t=1522495955875&n=1 net::ERR_NAME_NOT_RESOLVED
3. I tried changing to "content_security_policy": "script-src 'self' 'unsafe-eval' https://*.pusher.com; object-src 'self'; connect-src 'self' https://* wss://*", but it keeps throwing the same errors.
What is the expected behavior?
With the given CSPs, it should connect to wss and https, doesn't it? Or maybe I am missing out something?
What went wrong?
It was working as expected and with the new connect-src policies I added, I think it should relax the wss and https.
WebStore page: https://chrome.google.com/webstore/detail/deftfax/ddeiohaegpcbjenfffkoimijegeahcdi
Did this work before? Yes
Chrome version: 65.0.3325.181 Channel: stable
OS Version: OS X 10.12.6
Flash Version:
I am not sure if it recently started after upgrading to Chrome 65.0
,
Apr 2 2018
Unable to reproduce the issue on chrome reported version 65.0.3325.181 using Mac 10.12.6 with steps mentioned below: 1) Launched chrome reported version and navigated to URL: https://chrome.google.com/webstore/detail/deftfax/ddeiohaegpcbjenfffkoimijegeahcdi and installed the extension 2) Clicked on extension icon and logged in into the site, opened Devtools > Console, didn't observed any error messaged as mentioned in comment#0 reproducible steps. @Reporter: Please find the attached screen cast for your reference and let us know if we missed anything in reproducing the issue. Try to test this issue by creating new person and let us know if the issue still persists. Thanks!
,
Apr 2 2018
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 3 2018
Unable to reproduce the issue on chrome reported version using Mac 10.12.6 with steps mentioned below: 1) Launched chrome reported version and installed the extension from URL: https://chrome.google.com/webstore/detail/deftfax/ddeiohaegpcbjenfffkoimijegeahcdi 2) Opened Chrome://Extensions, made the Developer mode "ON", Inspect views background page is available on installed extension 3) Clicked on "background page" link, a new Developer tools window opens, didn't observed any errors generated on console page. @Reporter: Please find the screenshot for your reference. As this issue is not reproducible from TE end, removing Needs-Bisect label. This issue seems similar to Issue: 815142 , with reference to 815142, cc'ing: aicu@chromium.org. Thanks!
,
Apr 3 2018
@viska.karala Sorry, I had to assign you a number to be able to activate the WebSocket. Now I enabled it to your account msat linux that you registered. To reproduce: - Login to extension - Open Background Page like you did. - There you'll see errors.
,
Apr 4 2018
Unable to reproduce the issue on chrome reported version(as per comment# 7) 65.0.3325.181 using Mac 10.12.6 with steps mentioned below: 1) Launched chrome reported version, installed the extension from URL: https://chrome.google.com/webstore/detail/deftfax/ddeiohaegpcbjenfffkoimijegeahcdi 2) Logged-in into extension, opened Chrome://Extensions, made the Developer mode "ON", Inspect views background page is available on installed extension 3) Clicked on "background page" link, a new Developer tools window opens, didn't observed any errors generated on console page. @Reporter: Please find the attached screen cast for your reference and let us know if we missed anything in reproducing the issue, provide your feedback on it which help in further triaging it. Thanks!
,
Apr 4 2018
This time, you didn't let the extension login by opening it once. Here is how to replicate the issue and the video showing it: - Make sure you are logged in to the website (you have done it) - Login to extension - by clicking on the extension icon (you didn't do this step) - Open Background Page like you did. - There you'll see errors.
,
Apr 4 2018
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 18 2018
Able to reproduce this issue on reported version 65.0.3325.181 and latest canary 68.0.3398.0 using Windows 10, Mac 10.12.6 and Ubuntu 14.04. As this issue is seen from M-60(60.0.3112.0). Hence considering this issue as Non-Regression and marking as Untriaged. Thanks!
,
Apr 20 2018
mkwst@, do you know if this is something CSP related? (I wouldn't expect it to be specific to extensions, but it may be)
,
Apr 23 2018
"Error in connection establishment: net::ERR_NAME_NOT_RESOLVED" is not a CSP error, it's telling you that the DNS entry you're looking up wasn't found. I can confirm that looking up `ws-mt1480813.pusher.com`, for example, returns NXDOMAIN. I'd suggest looking into that. :) The CSP error in comment #7 above seems pretty clearly correct: the file being requested isn't allowed by the `script-src` directive.
,
May 25 2018
rdevlin.cronin@ A Gentle Ping... Request you to look into this issue and help in further triaging. Thanks..
,
Jul 9
Mac triage: WontFix old issue - this looks resolved by #13. |
||||||||||
►
Sign in to add a comment |
||||||||||
Comment 1 by vamshi.kommuri@chromium.org
, Apr 1 2018