Discussion:
New/broken Content Security Policy on drafts.csswg.org?
(too old to reply)
Chris Lilley
2018-03-12 19:36:49 UTC
Permalink
Raw Message
Hi folks,

I'm seeing a new error on drafts.csswg.org today, for documents that
worked fine last week:

Content Security Policy: This site (https://drafts.csswg.org) has a
Report-Only policy without a report URI. CSP will not block and cannot
report violations of this policy.

Followed by lots of console log errors about scripts not loading


Content Security Policy: The page’s settings observed the loading of a
resource at self (“script-src”). A CSP report is being sent. Source: try
{ (function injectPageScriptAPI(scr.... issues:1
<https://drafts.csswg.org/issues?spec=css-fonts-3&doc=cr-2017>

Content Security Policy: The page’s settings observed the loading of a
resource at https://dev.mavo.io/dist/mavo.css (“style-src”). A CSP
report is being sent.
Content Security Policy: The page’s settings observed the loading of a
resource at https://dev.mavo.io/dist/mavo.js (“script-src”). A CSP
report is being sent.
Content Security Policy: The page’s settings observed the loading of a
resource at self (“script-src”). A CSP report is being sent. Source: try
{ var AG_onLoad=function(func){if(d.... issues:1
<https://drafts.csswg.org/issues?spec=css-fonts-3&doc=cr-2017>
local mavo.js:7 <https://dev.mavo.io/dist/maps/mavo.js>
Content Security Policy: The page’s settings observed the loading of a
resource at https://plugins.mavo.io/yaml/mavo-yaml.js (“script-src”). A
CSP report is being sent.
Content Security Policy: The page’s settings observed the loading of a
resource at https://plugins.mavo.io/markdown/mavo-markdown.js
(“script-src”). A CSP report is being sent.
Content Security Policy: The page’s settings observed the loading of a
resource at
https://cdnjs.cloudflare.com/ajax/libs/showdown/1.8.2/showdown.min.js
(“script-src”). A CSP report is being sent.
Content Security Policy: The page’s settings observed the loading of a
resource at
https://cdnjs.cloudflare.com/ajax/libs/dompurify/1.0.2/purify.min.js
(“script-src”). A CSP report is being sent.
Content Security Policy: The page’s settings observed the loading of a
resource at data:image/svg+xml,%3Csvg%20xmlns%3D%22h... (“default-src”).
A CSP report is being sent.
Content Security Policy: The page’s settings observed the loading of a
resource at self (“script-src”). A CSP report is being sent. Source:
call to eval() or related function blocked by CSP. mavoscript.js:382
<https://dev.mavo.io/dist/maps/mavoscript.js>
Content Security Policy: The page’s settings observed the loading of a
resource at
https://api.github.com/repos/w3c/csswg-drafts/contents/css-fonts-3/issues-cr-2017.yaml?timestamp=1520883169754
(“default-src”). A CSP report is being sent.
Content Security Policy: The page’s settings observed the loading of a
resource at
https://api.github.com/repos/w3c/csswg-drafts/contents/css-fonts-3/issues-cr-2017.yaml?timestamp=1520883169758
(“default-src”). A CSP report is being sent.
Content Security Policy: The page’s settings observed the loading of a
resource at https://api.github.com/user?timestamp=1520883169762
(“default-src”). A CSP report is being sent.
Content Security Policy: The page’s settings observed the loading of a
resource at https://avatars1.githubusercontent.com/u/2506926?v=4
(“default-src”). A CSP report is being sent.
Content Security Policy: The page’s settings observed the loading of a
resource at
https://api.github.com/repos/w3c/csswg-drafts?timestamp=1520883170884
(“default-src”). A CSP report is being sent.
Content Security Policy: The page’s settings observed the loading of a
resource at
https://cdnjs.cloudflare.com/ajax/libs/js-yaml/3.8.3/js-yaml.min.js
(“script-src”). A CSP report is being sent.
--
Chris Lilley
@svgeesus
Technical Director @ W3C
W3C Strategy Team, Core Web Design
W3C Architecture & Technology Team, Core Web & Media
François REMY
2018-03-12 19:48:08 UTC
Permalink
Raw Message
Sounds like something @Lea Verou should be looking at.



From: Chris Lilley <***@w3.org>
Sent: Monday, 12 March, 2018 12:37
To: www-***@w3.org
Subject: New/broken Content Security Policy on drafts.csswg.org?


Hi folks,

I'm seeing a new error on drafts.csswg.org today, for documents that worked fine last week:

Content Security Policy: This site (https://drafts.csswg.org) has a Report-Only policy without a report URI. CSP will not block and cannot report violations of this policy.

Followed by lots of console log errors about scripts not loading

Content Security Policy: The page’s settings observed the loading of a resource at self (“script-src”). A CSP report is being sent. Source: try { (function injectPageScriptAPI(scr.... issues:1<https://drafts.csswg.org/issues?spec=css-fonts-3&doc=cr-2017>
Content Security Policy: The page’s settings observed the loading of a resource at https://dev.mavo.io/dist/mavo.css (“style-src”). A CSP report is being sent.
Content Security Policy: The page’s settings observed the loading of a resource at https://dev.mavo.io/dist/mavo.js (“script-src”). A CSP report is being sent.
Content Security Policy: The page’s settings observed the loading of a resource at self (“script-src”). A CSP report is being sent. Source: try { var AG_onLoad=function(func){if(d.... issues:1<https://drafts.csswg.org/issues?spec=css-fonts-3&doc=cr-2017>
local mavo.js:7<https://dev.mavo.io/dist/maps/mavo.js>
Content Security Policy: The page’s settings observed the loading of a resource at https://plugins.mavo.io/yaml/mavo-yaml.js (“script-src”). A CSP report is being sent.
Content Security Policy: The page’s settings observed the loading of a resource at https://plugins.mavo.io/markdown/mavo-markdown.js (“script-src”). A CSP report is being sent.
Content Security Policy: The page’s settings observed the loading of a resource at https://cdnjs.cloudflare.com/ajax/libs/showdown/1.8.2/showdown.min.js (“script-src”). A CSP report is being sent.
Content Security Policy: The page’s settings observed the loading of a resource at https://cdnjs.cloudflare.com/ajax/libs/dompurify/1.0.2/purify.min.js (“script-src”). A CSP report is being sent.
Content Security Policy: The page’s settings observed the loading of a resource at data:image/svg+xml,%3Csvg%20xmlns%3D%22h... (“default-src”). A CSP report is being sent.
Content Security Policy: The page’s settings observed the loading of a resource at self (“script-src”). A CSP report is being sent. Source: call to eval() or related function blocked by CSP. mavoscript.js:382<https://dev.mavo.io/dist/maps/mavoscript.js>
Content Security Policy: The page’s settings observed the loading of a resource at https://api.github.com/repos/w3c/csswg-drafts/contents/css-fonts-3/issues-cr-2017.yaml?timestamp=1520883169754 (“default-src”). A CSP report is being sent.
Content Security Policy: The page’s settings observed the loading of a resource at https://api.github.com/repos/w3c/csswg-drafts/contents/css-fonts-3/issues-cr-2017.yaml?timestamp=1520883169758 (“default-src”). A CSP report is being sent.
Content Security Policy: The page’s settings observed the loading of a resource at https://api.github.com/user?timestamp=1520883169762 (“default-src”). A CSP report is being sent.
Content Security Policy: The page’s settings observed the loading of a resource at https://avatars1.githubusercontent.com/u/2506926?v=4 (“default-src”). A CSP report is being sent.
Content Security Policy: The page’s settings observed the loading of a resource at https://api.github.com/repos/w3c/csswg-drafts?timestamp=1520883170884 (“default-src”). A CSP report is being sent.
Content Security Policy: The page’s settings observed the loading of a resource at https://cdnjs.cloudflare.com/ajax/libs/js-yaml/3.8.3/js-yaml.min.js (“script-src”). A CSP report is being sent.
--
Chris Lilley

@svgeesus

Technical Director @ W3C

W3C Strategy Team, Core Web Design

W3C Architecture & Technology Team, Core Web & Media
Tab Atkins Jr.
2018-03-12 21:27:11 UTC
Permalink
Raw Message
What specs are you seeing these on? They don't show up on all of them,
apparently.
Chris Lilley
2018-03-13 03:23:11 UTC
Permalink
Raw Message
Post by Tab Atkins Jr.
What specs are you seeing these on? They don't show up on all of them,
apparently.
It was a disposition of comments. But it turns out that was not the
actual cause. It is fixed now.
--
Chris Lilley
@svgeesus
Technical Director @ W3C
W3C Strategy Team, Core Web Design
W3C Architecture & Technology Team, Core Web & Media
Loading...