javascript w/ proper nonce reports violation error in dev tools, but script runs and functions perfectly
Reported by
benkres...@gmail.com,
Nov 10
|
||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.44 Safari/537.36 Steps to reproduce the problem: 1. Insert/set dynamic nonce value for script tags on page via PHP and insert into HTML. 2. Call site in browser. 3. Open dev tools console and see CSP errors while the offending script still runs. What is the expected behavior? No CSP errors because the script(s) has the correct nonce value and also runs. What went wrong? No clue. Chrome is the only browser I can reproduce this in. Happens in both Chrome stable and Canary and has for a while. The script that is allegedly blocked (according to the console), still functions perfectly. So, according to chrome the script should not be running, yet it does? Makes the errors kind of meaningless? Did this work before? No Chrome version: 71.0.3578.44 Channel: stable OS Version: 10.0 Flash Version: I have noticed this behavior for at least a year since I started implementing nonce security for JavaScript. I have tried several different methods of inserting the nonce (meta, apache conf, headers, etc) and all return the same results. An error in the console, but the script still runs?? Something doesn't make sense here... It is always the same error: Refused to load the script '....' because it violates the following Content Security Policy directive: "script-src 'strict-dynamic' 'nonce-ababababababababab' 'unsafe-inline' http: https:". 'strict-dynamic' is present, so host-based whitelisting is disabled. Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback. How I have gotten around it most of the time is to run Google pagespeedmod on my server and run any and all Javascript locally on that machine. However, turn off pagespeedmod, and the problem persists. However, some scripts from the same external or internal sources do load without errors in the console and run perfectly. The ones that have the errors also run perfectly, but there are CSP violation errors. It could admittedly be something in my code somewhere... but, I have worked on this for way too long without resolution and thought maybe someone here could help who has seen similar behavior.
,
Nov 12
Thanks for the issue... The issue seems to be reproduced using Insert/set dynamic nonce value for script tags on page via PHP and insert into HTML, which is out of scope for TE. Hence adding TE-NeedsTriageHelp label and requesting someone from respective team to have a look into this and help in further triaging it. Thanks..!
,
Nov 12
,
Nov 12
Thank you for helping this issue find the right people. Much appreciated!
,
Dec 5
|
||||
►
Sign in to add a comment |
||||
Comment 1 by phanindra.mandapaka@chromium.org
, Nov 11