Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Page CSP can block Reader Mode stylesheet #24577

Closed
Seirdy opened this issue Aug 10, 2022 · 2 comments · Fixed by brave/brave-core#21958
Closed

Page CSP can block Reader Mode stylesheet #24577

Seirdy opened this issue Aug 10, 2022 · 2 comments · Fixed by brave/brave-core#21958
Assignees
@boocmp
Labels
feature/speedreader OS/Desktop priority/P3 The next thing for us to work on. It'll ride the trains. QA Pass-macOS QA/Yes release-notes/include
Milestone
1.64.x - Release

Comments

@Seirdy
Copy link

Seirdy commented Aug 10, 2022

Description

A site's content-security-policy can block the Reader Mode's inline CSS from loading if the CSP uses a hash.

Steps to Reproduce

  1. Navigate to any page on https://seirdy.one/
  2. Open the Console in DevTools
  3. Activate Reader Mode

Actual result:

The CSS for Reader Mode is not applied; the page is completely unstyled. The console reports the following error:

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'sha256-yeoa9pw7t4Un85jGWHQcNLZ8XpPN6AiUnk6+8tiGT44='". Either the 'unsafe-inline' keyword, a hash ('sha256-/zANq2Ot1HS0JMxZ4NpGDtN5wIJOxobb5Rqjx9AKsCU='), or a nonce ('nonce-...') is required to enable inline execution.

Expected result:

Expected Reader Mode to function normally and render styled, as it does in other desktop browsers (Firefox, Safari, Edge, Vivaldi, Chromium with DOM Distiller, etc).

Reproduces how often:

Easily + consistently reproducible.

Brave version (info found on brave://version)

1.44.31 Chromium: 104.0.5112.81 (Official Build) nightly (64-bit)

Version/Channel Information:

I have only attempted to reproduce this issue on the Nightly channel. I first noticed the issue a month ago and reproduced it just now, so it should have tricked down to other channels by now.

Other Additional Information:

  • Does the issue resolve itself when disabling Brave Shields? No.
  • Does the issue resolve itself when disabling Brave Rewards? No.
  • Is the issue reproducible on the latest version of Chrome? No.

Miscellaneous Information:

The full CSP that triggers this issue:

content-security-policy: default-src 'none';img-src 'self';style-src 'sha256-yeoa9pw7t4Un85jGWHQcNLZ8XpPN6AiUnk6+8tiGT44=';frame-ancestors 'none';base-uri 'none';form-action https://seirdy.one/webmentions/receive https://seirdy.one/search/;manifest-src 'self';webrtc 'block';upgrade-insecure-requests;sandbox allow-same-origin allow-forms

The exact hash is subject to change if/when I update my site's stylesheet.
@boocmp boocmp mentioned this issue Sep 2, 2022
Closed
25 tasks
@Seirdy Seirdy mentioned this issue Nov 11, 2022
Open
@Seirdy
Copy link
Author

Seirdy commented Nov 11, 2022

Other functionality broken by page CSPs: #24577

This issue can also be reproduced on https://grapheneos.org/articles/grapheneos-servers. This isolates the offending CSP directive to a style-src which does not allow unsafe-inline.

@rebron rebron added priority/P3 The next thing for us to work on. It'll ride the trains. QA/Yes release-notes/include labels Jan 17, 2023
@iefremov iefremov mentioned this issue Feb 5, 2024
Closed
@boocmp boocmp mentioned this issue Feb 8, 2024
Merged
24 tasks
@brave-builds brave-builds added this to the 1.64.x - Nightly milestone Feb 14, 2024
@stephendonner
Copy link

Verified PASSED using

Brave | 1.64.81 Chromium: 122.0.6261.43 (Official Build) beta (x86_64)
-- | --
Revision | 19b9ce86d7aed2a1fdb7734d6a27f2fe6abd0153
OS | macOS Version 14.4 (Build 23E5205c)

Steps:

  1. installed 1.64.81
  2. launched Brave
  3. loaded https://seirdy.one/ and clicked on an archive entry
  4. clicked on Turn on Speedreader
  5. did the same for https://grapheneos.org/articles/grapheneos-servers

Confirmed Speedreader ("Reader mode") activated and rendered fine

example example
Screenshot 2024-02-21 at 11 54 24 AM Screenshot 2024-02-21 at 11 54 39 AM
example example
Screenshot 2024-02-21 at 11 57 49 AM Screenshot 2024-02-21 at 11 57 53 AM

@LaurenWags LaurenWags mentioned this issue Mar 18, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@boocmp boocmp

Labels
feature/speedreader OS/Desktop priority/P3 The next thing for us to work on. It'll ride the trains. QA Pass-macOS QA/Yes release-notes/include
Projects
Speedreader
Status: Done
Milestone
1.64.x - Release
5 participants
@stephendonner @rebron @Seirdy @brave-builds @boocmp