CSP reports are being limited to 10-pending-reports-per-renderer |
|||
Issue descriptionAs part of adding support for 'keepalive' to Fetch, the existing sendBeacon implementation was refactored to be implemented in terms of Fetch keepalive. To prevent the risk of browser-side memory exhaustion on 'fire and forget' requests, Fetch keepalives and sendBeacons are limited in the number of requests and data that they can send before allowing the renderer to close. However, CSP reporting also makes keepalive fetches (via the PingLoader - https://chromium.googlesource.com/chromium/src/+/3926c014679297816e6d8b6fd72f8261d0acf8fc/third_party/blink/renderer/core/frame/csp/content_security_policy.cc#1401 ), which creates them as KeepAlive requests. This then runs into the Keepalive-per-process requests ( https://chromium.googlesource.com/chromium/src/+/3d42ffeb3d227f908b62432338885df98bddf258/services/network/url_loader_factory.h#64 ) This limits the number of pending CSP reports that can be sent, particularly for load-time violations.
,
May 24 2018
,
May 25 2018
,
May 25 2018
I think the limit is 20, not 10.
,
May 25 2018
Do we have data that would help us understand what the limit should be? Was it unlimited before?
,
May 25 2018
kenjibaheux@: It was practically unlimited before the change, yes. Short-term, would it be enough to remove the `request.SetKeepalive(true)` line from `PingLoader::SendViolationReport` be enough to prevent these reports from violating the keepalive-per-process limit? That would introduce the new problem of dropping some reports when the page dies, but that might be a reasonable tradeoff while cleverer folks come up with a queuing mechanism that makes sense?
,
May 29 2018
We (https://report-uri.com) can regularly see upwards of 50 reports for a given page load when customers are using the CSP Wizard: https://scotthelme.co.uk/report-uri-csp-wizard/ By design it blocks everything in a Report-Only policy to give us full visibility of everything on the page by sending a report, which allows us to build a policy for the user. This is why we first started noticing it as customers drop a huge chunk of reports in many scenarios resulting in reduced coverage. I'm not sure we can or should go to unlimited but a limit like 100 would certainly cover the vast majority of cases we've seen. |
|||
►
Sign in to add a comment |
|||
Comment 1 by rsleevi@chromium.org
, May 24 2018