CSP warning sent when it probably shouldn't be

RESOLVED INVALID

Status

()

RESOLVED INVALID
3 years ago
2 years ago

People

(Reporter: jwalker, Unassigned)

Tracking

(Blocks: 1 bug)

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [domsecurity-backlog])

I've a web-app that has a CSP policy. It used to pass on both Firefox and Chrome. As of last week (ish) Firefox began complaining. The site appears to work fine in both browsers.

Details in comments.
The policy (as fetched from netmonitor) is

Content-Security-Policy:base-uri 'self'; connect-src 'self' ws://localhost:3000; default-src 'self'; font-src 'self' https://fonts.gstatic.com; img-src 'self' data:; object-src; report-uri /cspviolation; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com
The violation as reported in the webconsole is:

Content Security Policy: The page's settings blocked the loading of a resource at self ("default-src http://localhost:3000")

The CSP violation ping says: The csp violation ping says: {... "violated-directive":"default-src http://localhost:3000"}
I ran with NSPR_LOG_MODULES=CSPContext:5, and ...

2006130688[10a5762d0]: nsCSPContext::nsCSPContext
2006130688[10a5762d0]: nsCSPContext::AppendPolicy: base-uri 'self'; connect-src 'self' ws://localhost:3000; default-src 'self'; font-src 'self' https://fonts.gstatic.com; img-src 'self' data:; object-src; report-uri /cspviolation; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com
2006130688[10a5762d0]: nsCSPContext::ShouldLoad, aContentLocation: http://localhost:3000/resources/index.css
2006130688[10a5762d0]: >>>>                      aContentType: 40
2006130688[10a5762d0]: nsCSPContext::ShouldLoad, decision: load, aContentLocation: http://localhost:3000/resources/index.css
2006130688[10a5762d0]: nsCSPContext::ShouldLoad, aContentLocation: http://localhost:3000/built/index.js
2006130688[10a5762d0]: >>>>                      aContentType: 36
2006130688[10a5762d0]: nsCSPContext::ShouldLoad, decision: load, aContentLocation: http://localhost:3000/built/index.js
2006130688[10a5762d0]: nsCSPContext::ShouldLoad, aContentLocation: http://localhost:3000/resources/index.css
2006130688[10a5762d0]: >>>>                      aContentType: 4
2006130688[10a5762d0]: nsCSPContext::ShouldLoad, decision: load, aContentLocation: http://localhost:3000/resources/index.css
2006130688[10a5762d0]: nsCSPContext::ShouldLoad, aContentLocation: http://localhost:3000/built/index.js
2006130688[10a5762d0]: >>>>                      aContentType: 2
2006130688[10a5762d0]: nsCSPContext::ShouldLoad, decision: load, aContentLocation: http://localhost:3000/built/index.js
2006130688[10a5762d0]: nsCSPContext::ShouldLoad, aContentLocation: https://fonts.googleapis.com/css?family=Roboto:400,300,500
2006130688[10a5762d0]: >>>>                      aContentType: 4
2006130688[10a5762d0]: nsCSPContext::ShouldLoad, decision: load, aContentLocation: https://fonts.googleapis.com/css?family=Roboto:400,300,500
2006130688[10a5762d0]: Sent violation report to URI http://localhost:3000/cspviolation
2006130688[10a5762d0]: nsCSPContext::ShouldLoad, aContentLocation: https://fonts.gstatic.com/s/roboto/v15/oMMgfZMQthOryQo9n22dcuvvDin1pK8aKteLpeZ5c0A.woff2
...

TL:DR;

"decision: load" followed by "Sent violation report" seems strange...
Some more digging. It looks like it's React Developer tools.

https://github.com/facebook/react-devtools/issues/134

Is this problem purely Facebook's I wonder?
Joe, what are the STR this problem? Once I know, I can have a look and see what's going on.
Flags: needinfo?(jwalker)
Whiteboard: [domsecurity-backlog]
I've not noticed it for a while.

The STR was fairly simple. React app, delivered with strict CSP (default-src 'self'). I'd be happy to close this, because I no longer see it in my setup. But I'll leave the call up to you since the react issue isn't actually closed.
Flags: needinfo?(jwalker)
(In reply to Joe Walker [:jwalker] (needinfo me or ping on irc) from comment #6)
> I've not noticed it for a while.
> 
> The STR was fairly simple. React app, delivered with strict CSP (default-src
> 'self'). I'd be happy to close this, because I no longer see it in my setup.
> But I'll leave the call up to you since the react issue isn't actually
> closed.

Before closing this I'll ask Kamil if he can reproduce the issue. Kamil, can you give that a try?
Flags: needinfo?(kjozwiak)
As per comment 6, I am closing this one as an INVALID since it seems it's not a problem anymore.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Flags: needinfo?(kjozwiak)
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.