Open Bug 1657519 Opened 4 years ago Updated 1 year ago

Coalesce CSP error reports (Thousands of request being initiated when opening a page)

Categories

(Core :: DOM: Security, enhancement, P3)

Product:
Core
Component:
DOM: Security
Type:
enhancement

Tracking

()

People

(Reporter: jya, Unassigned)

References

(Blocks 1 open bug,
URL
)

Details

(Whiteboard: [domsecurity-backlog3])

When you open https://webkit.googlesource.com/WebKit/+/master/Source/WebKit/ChangeLog

Firefox slows to a crawl, the UI stops responding and everything becomes extremely sluggish for over 20s on my machine.

Looking in devtools network request; you can see in excess of 20,000 POST http requests for csp which are being denied.

Opening the same page in Chrome loads within a couple of seconds with 10 http requests total (the main one being 690kB in size)

This comes from nsCSPContext::SendReports scheduled from nsCSPContext::AsyncReportViolation. This produces an overwhelming amount of requests to https://csp.withgoogle.com/csp/gerritcodereview/1. It's triggered by setting 'onclick' attribute on each table cell to window.location.hash='#... where ... is the linenumber.

This is not a networking bug, moving to DOM:Sec. This either needs to be limited or somehow coalesced.

Component: Networking → DOM: Security

The severity field is not set for this bug.
:ckerschb, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(ckerschb)
Blocks: csp-w3c-3
Severity: -- → N/A
Type: defect → enhancement
Flags: needinfo?(ckerschb)
Priority: -- → P3
Summary: Thousands of request being initiated when opening a page → Coalesce CSP error reports (Thousands of request being initiated when opening a page)
Whiteboard: [domsecurity-backlog3]
See Also: → 1804871
See Also: → 1806276
Whiteboard: [domsecurity-backlog3]
See Also: → 1839165
Whiteboard: [domsecurity-backlog3]
You need to log in before you can comment on or make changes to this bug.