Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Chrome throws a SecurityError while Firefox does not #120

Closed
teddink opened this issue Sep 28, 2016 · 5 comments
Closed

Chrome throws a SecurityError while Firefox does not #120

teddink opened this issue Sep 28, 2016 · 5 comments

Comments

@teddink
Copy link

teddink commented Sep 28, 2016

The Edge team is currently implementing CSP2 and we are onboarding the w3c/web-platform-tests for CSP. We found a couple of instances where Chrome and Firefox disagree.

Both browsers correctly block the action and send a CSP report. However, sometimes additionally Chrome throws a SecurityError, while Firefox does not.

We haven’t been through all the tests yet, but the pattern seems to be that Chrome throws for actions that can only be instigated via <script>:
• When creating a new EventSource to a blocked URL, Chrome throws while FireFox quietly closes the connection.
• When using ‘sendBeacon’ to send to a blocked URL, Chrome throws while FireFox quietly sends nothing.

The connect-src section of the spec seems to leave the correct behavior ambiguous. What is the expected behavior here?
@michaelficarra
Copy link
Contributor

  1. connect-src Pre-request check returns "Blocked"
  2. Should request be blocked by Content Security Policy? returns "Blocked"
  3. Main fetch step 5 sets response to a network error.
  4. The user agent then does whatever it's supposed to do with a network error from fetch in that particular context.

@annevk
Copy link
Member

annevk commented Sep 29, 2016

@teddink you should get an error event on EventSource in Firefox. I forgot how sendBeacon() surfaces network errors, I suppose it doesn't.

@mikewest
Copy link
Member

@teddink you should get an error event on EventSource in Firefox.

Indeed. We originally were throwing in XHR, EventSource, etc. @annevk convinced me to change it a million years ago, as it aligns the behavior between redirect blockage and non-redirect blockage, and simplifies the interface to Fetch. I thought we updated Chrome, but it's entirely possible that we didn't.

In other words, this sounds like a Chrome bug and not a spec bug. If you file a bug against Chrome, I'll get it fixed.

I forgot how sendBeacon() surfaces network errors, I suppose it doesn't.

sendBeacon() is fire-and-forget. It doesn't surface errors, as its lifetime is decoupled from the context of the document.

@teddink
Copy link
Author

teddink commented Sep 30, 2016

Here you go Mike: 651879

fred-wang pushed a commit to Igalia/chromium that referenced this issue Mar 21, 2017
@mikewest
CSP: 'connect-src' should not cause exceptions.
8a4e051 
We changed the spec quite some time ago to deal with 'connect-src'
violations in Fetch rather than in each API individually. This means
that we should stop throwing exceptions in 'XHR::open', 'EventSource',
'WebSocket', and 'sendBeacon'.

Closes w3c/webappsec-csp#120.

BUG=651879,694525
R=tyoshino@chromium.org,foolip@chromium.org

Review-Url: https://codereview.chromium.org/2456013002
Cr-Commit-Position: refs/heads/master@{#458384}
@mikewest
Copy link
Member

mikewest commented May 9, 2017

This was fixed in Igalia/chromium@8a4e051.

@mikewest mikewest closed this as completed May 9, 2017
This was referenced Jan 30, 2025
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mikewest @michaelficarra @annevk @teddink