New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 846348 link

Starred by 3 users
Status: Assigned
Owner:
andypaicu@chromium.org
Last visit > 30 days ago
Cc:
mkwst@chromium.org
yhirano@chromium.org
scott.he...@gmail.com
kenjibaheux@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri: 2
Type: Bug



Sign in to add a comment

CSP reports are being limited to 10-pending-reports-per-renderer

Project Member Reported by rsleevi@chromium.org, May 24 2018 
As part of adding support for 'keepalive' to Fetch, the existing sendBeacon implementation was refactored to be implemented in terms of Fetch keepalive. To prevent the risk of browser-side memory exhaustion on 'fire and forget' requests, Fetch keepalives and sendBeacons are limited in the number of requests and data that they can send before allowing the renderer to close.

However, CSP reporting also makes keepalive fetches (via the PingLoader - https://chromium.googlesource.com/chromium/src/+/3926c014679297816e6d8b6fd72f8261d0acf8fc/third_party/blink/renderer/core/frame/csp/content_security_policy.cc#1401 ), which creates them as KeepAlive requests. 

This then runs into the Keepalive-per-process requests ( https://chromium.googlesource.com/chromium/src/+/3d42ffeb3d227f908b62432338885df98bddf258/services/network/url_loader_factory.h#64 )

This limits the number of pending CSP reports that can be sent, particularly for load-time violations.

Comment 1 by rsleevi@chromium.org, May 24 2018 

I'm not sure the status with Site Isolation and whether this might allow for cross-origin exhaustion/blocking of CSP reports, since the limit is per-renderer process.

I'm also not sure whether we should be rethinking how the keepalive implementation is structured. Right now, the Keepalive handle is rate limited, as it will keep the renderer alive. This means that even under normal renderer operation, the number of keepalive requests gets throttled. I wonder if it makes more sense to treat the keepalive requests that, under normal operation, are dispatched as-is, but once a renderer signals intent to shut-down, we no longer allow new requests to be issued and begin reaping handles, such that only X requests for Y seconds post-shutdown are permitted. For the situation of CSP load, this would allow all of the reports to be dispatched, provided that the renderer isn't navigated away/killed, while limiting the number of pending reports if they are.

Comment 2 by jochen@chromium.org, May 24 2018

Status: Assigned (was: Untriaged)

Comment 3 by yhirano@chromium.org, May 25 2018

Cc: yhirano@chromium.org

Comment 4 by yhirano@chromium.org, May 25 2018 

I think the limit is 20, not 10.

Comment 5 by kenjibaheux@chromium.org, May 25 2018 

Do we have data that would help us understand what the limit should be?
Was it unlimited before?

Comment 6 by mkwst@chromium.org, May 25 2018 

kenjibaheux@: It was practically unlimited before the change, yes.

Short-term, would it be enough to remove the `request.SetKeepalive(true)` line from `PingLoader::SendViolationReport` be enough to prevent these reports from violating the keepalive-per-process limit? That would introduce the new problem of dropping some reports when the page dies, but that might be a reasonable tradeoff while cleverer folks come up with a queuing mechanism that makes sense?

Comment 7 by scott.he...@gmail.com, May 29 2018 

We (https://report-uri.com) can regularly see upwards of 50 reports for a given page load when customers are using the CSP Wizard: https://scotthelme.co.uk/report-uri-csp-wizard/

By design it blocks everything in a Report-Only policy to give us full visibility of everything on the page by sending a report, which allows us to build a policy for the user. This is why we first started noticing it as customers drop a huge chunk of reports in many scenarios resulting in reduced coverage.

I'm not sure we can or should go to unlimited but a limit like 100 would certainly cover the vast majority of cases we've seen.

Sign in to add a comment