CSP (content security policy) breaks some sites when they are launched from an existing web page #16251
Comments
|
I think this is related too #16156 |
|
Maybe. If the devs judge that the issues are the same, feel free to close this one. |
|
Can you check if Chrome is affected? we've had reports Chrome had similar issues. @pitsi |
|
I have chromium and chrome, both on v91.0.4472.77, but on my windows partition. I will later transfer my page there and check. |
|
And no, chromium and chrome from windows are not affected. Both pages load with no issues and no errors in the console. |
|
Can confirm. Quora is breaking, if the site is opened in the same tab. But it works when the site is opened in new tab. |
|
I do not have a quora account, thus I am not logged in to the site. I added it to my simple page, and it opens up as usual, asking for credentials. If you do have an account in quora, can you please check the console for similar errors? The forementioned sites (facebok and cockpit) cause the issue whether they are lauched on the same tab or in a new one. ---edit |
|
One very minor discovery I just made. Pressing f5 to refresh that broken page (= any of the pages mentioned above) does not resolve the issue. The same errors appear on the console too. |
|
Okay looked into this. Bisected to a
|
|
@pitsi @ask1234560 I'm investigating a fix for this; in the meantime you should be able to work around it by disabling |
|
It worked for me! |
|
Thanks @antonok-edm it works for me too. |
|
When 1.27.x reaches stable and this thing is resolved, can someone please post here and let us know to change the flag back? |
|
Thanks! I got the upgrade a few minutes ago, switched |
|
Sorry for bringing up a 3 month old issue, but I have to ask before opening a new one. A page I visit shows up blank since the 2 weeks ago and this is what the console says
Is it the same as above? I do not mean the error, because it obviously isn't, I mean the reason. If it is not the same, I will open a new issue. |
|
@pitsi the CORS error is not related to brave. CORS or cross origin request sharing error happens when CORS header is not present usually this is done in the backend. |
Description
As mentioned in the title, csp (content security policy) breaks some sites when they are launched from an existing page.
I use a simple page as my new tab and launch the 20+ sites I mostly visit from there. Right now, facebook and cockpit (local page, web console for linux servers) are affected. The error output in brave's console (f12 > console) always looks similar to this
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src *". Either the 'unsafe-inline' keyword, a hash ('sha256-random numbers and letters'), or a nonce ('nonce-...') is required to enable inline execution.This can also be considered a followup of #13929
Steps to Reproduce
Actual result:
Facebook's page appears completely blank. Cockpit's appears like so
Expected result:
I assume everyone knows how facebook's main page looks. Cockpit's should appear like so, prompting the user for credentials.
Reproduces how often:
Easily.
Brave version (brave://version info)
Brave 1.25.68 Chromium: 91.0.4472.77 (Official Build) (64-bit)
Revision 1cecd5c8a856bc2a5adda436e7b84d8d21b339b6-refs/branch-heads/4472@{# 1246}
OS Linux
Version/Channel Information:
Other Additional Information:
Miscellaneous Information:
In order for facebook to appear blank, the user must be already logged in in facebook. If not, it shows the usual facebook login page but the same errors on the console.
Moreover, if the forementioned link leads to any of facebook's subpages, e.g.
the page appears blank as well and the same errors appear on the console.
Last but not least, if instead of pressing the link, the user types the url in the address bar, each page opens with no issues and no errors in the console.
The text was updated successfully, but these errors were encountered: