Bug 173314

Summary:

CSP reports are not sent

Product:

WebKit

Reporter:

Scott Helme <scotthelme>

Component:

Page Loading

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED CONFIGURATION CHANGED

Severity:

Normal

CC:

beidson, bfulgham, bsdkurt, dbates, mkwst, simon.fraser, webkit-bug-importer, wilander

Priority:

Keywords:

InRadar

Version:

Safari 10

Hardware:

All

OS:

All

Attachments:

Description	Flags
CSP reports hanging in developer tools.	none
Fixed in Safari TP.	none

Scott Helme

Reported 2017-06-13 07:56:14 PDT

Created attachment 312771 [details] CSP reports hanging in developer tools. The latest version of Safari does not send CSP reports when it should. I have setup a CSP test page that intentionally violates my policy to cause reports to be sent. Steps To Reproduce 1) Open safari and navigate to https://scotthelme.co.uk 2) Open the dev tools and look at the network tab. 3) Navigate to https://scotthelme.co.uk/csp-test/ 4) Look at requests made to https://report-uri.io which is the CSP reporting endpoint, they hang forever. What Happens The CSP reports appear in the network tab but they never complete. The requests hang forever and never time out. What Should Happen The CSP reports should be sent. I have attached a screenshot of the problem. It might be worth pointing out the Origin is set to null on the reports too, this is also shown in the screenshot.

Attachments
CSP reports hanging in developer tools. (188.70 KB, image/png) 2017-06-13 07:56 PDT, Scott Helme	no flags	Details
Fixed in Safari TP. (201.30 KB, image/png) 2018-01-29 08:22 PST, Scott Helme	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Mike West

Comment 1 2017-06-13 08:15:41 PDT

CCing folks who might be able to triage this for you, Scott.

Radar WebKit Bug Importer

Comment 2 2017-06-13 16:32:26 PDT

<rdar://problem/32752360>

Daniel Bates

Comment 3 2017-06-14 11:36:27 PDT

I am able to reproduce in Safari Version 10.1 (12603.1.24). Using Google Chrome for Mac Version 60.0.3112.24 (Official Build) beta (64-bit) I see that it made 5 requests to https://scotthelme.report-uri.io/r/default/csp/reportOnly of which 4 are marked with status "(canceled)" and one has a HTTP 403 "Forbidden" status code.

Scott Helme

Comment 4 2017-06-23 04:36:41 PDT

Any updates on this yet? I'm still seeing the problem and also hearing it reported more widely. It'd be great to see if there's something that can be done to resolve.

Scott Helme

Comment 5 2017-07-08 10:26:31 PDT

This still seems to be ongoing, any updates?

Scott Helme

Comment 6 2017-09-02 08:42:16 PDT

Just checking in again. Any movement on this?

Daniel Bates

Comment 7 2017-09-02 17:30:11 PDT

(In reply to Scott Helme from comment #6) > Just checking in again. Any movement on this? I hope to look into this issue next week (09/05) at latest the week after that. If you want to help expedite progress it would be great to post a reduced test case to this bug. (If you really want to expedite the fix then posting a patch with a layout test would be even better).

Scott Helme

Comment 8 2018-01-29 08:22:28 PST

Created attachment 332542 [details] Fixed in Safari TP.

Scott Helme

Comment 9 2018-01-29 08:22:53 PST

This issue is still present in Safari 11.0.2 (13604.4.7.1.6) but it does appear to be fixed in Safari Technology Preview Release 48 (Safari 11.2, WebKit 13606.1.2.2). The requests are reported as type 'ping', perhaps that could be clarified and they could be 'csp-report' instead? I've attached a screenshot of Safari TP sending reports.

Daniel Bates

Comment 10 2018-01-29 11:17:49 PST

(In reply to Scott Helme from comment #9) > This issue is still present in Safari 11.0.2 (13604.4.7.1.6) but it does > appear to be fixed in Safari Technology Preview Release 48 (Safari 11.2, > WebKit 13606.1.2.2). > > The requests are reported as type 'ping', perhaps that could be clarified > and they could be 'csp-report' instead? > Please file a Web Inspector bug with this enhancement request.

Daniel Bates

Comment 11 2018-01-29 11:22:48 PST

(In reply to Scott Helme from comment #8) > Created attachment 332542 [details] > Fixed in Safari TP. Various changes were made to the ping loading machinery in WebKit2. Marking Resolved Configuration Changed. When I have a chance, I'll look find the progression.

Scott Helme

Comment 12 2018-04-10 05:31:20 PDT

This bug appears to be back again.

Simon Fraser (smfr)

Comment 13 2019-06-16 21:31:44 PDT

Scott, can you be more specific? What Safari/STP version did you test in?

Brent Fulgham

Comment 14 2022-02-11 14:39:23 PST

We see that CSP reports are being sent properly in current software.

Note You need to log in before you can comment on or make changes to this bug.