brave-browser: CSP (content security policy) breaks some sites when they are launched from an existing web page
Description
As mentioned in the title, csp (content security policy) breaks some sites when they are launched from an existing page. I use a simple page as my new tab and launch the 20+ sites I mostly visit from there. Right now, facebook and cockpit (local page, web console for linux servers) are affected. The error output in brave’s console (f12 > console) always looks similar to this
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src *". Either the 'unsafe-inline' keyword, a hash ('sha256-random numbers and letters'), or a nonce ('nonce-...') is required to enable inline execution.
This can also be considered a followup of #13929
Steps to Reproduce
- Create a simple web page locally, e.g.
<html>
<head>
<title>a simple page</title>
</head>
<body>
<a href="https://www.facebook.com/">Facebook</a>
<a href="https://192.168.1.5:9090">Cockpit</a>
</body>
</html>
- Open it in brave.
- Click on any of the 2 links mentioned.
- Notice that the pages appear broken.
- The errors appear in the console (f12 > console)
Actual result:
Facebook’s page appears completely blank. Cockpit’s appears like so
Expected result:
I assume everyone knows how facebook’s main page looks. Cockpit’s should appear like so, prompting the user for credentials.
Reproduces how often:
Easily.
Brave version (brave://version info)
Brave 1.25.68 Chromium: 91.0.4472.77 (Official Build) (64-bit) Revision 1cecd5c8a856bc2a5adda436e7b84d8d21b339b6-refs/branch-heads/4472@{# 1246} OS Linux
Version/Channel Information:
- Can you reproduce this issue with the current release? Yes
- Can you reproduce this issue with the beta channel? Probably
- Can you reproduce this issue with the nightly channel? Probably
Other Additional Information:
- Does the issue resolve itself when disabling Brave Shields? No
- Does the issue resolve itself when disabling Brave Rewards? No
- Is the issue reproducible on the latest version of Chrome? No. Tested on chrome unstable, v93.0.4530.5 as of today.
Miscellaneous Information:
In order for facebook to appear blank, the user must be already logged in in facebook. If not, it shows the usual facebook login page but the same errors on the console.
Moreover, if the forementioned link leads to any of facebook’s subpages, e.g.
facebook.com/messages
facebook.com/bravesoftware
the page appears blank as well and the same errors appear on the console.
Last but not least, if instead of pressing the link, the user types the url in the address bar, each page opens with no issues and no errors in the console.
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 18
Thanks! I got the upgrade a few minutes ago, switched
#brave-adblock-csp-rulesback to default and now works as it should.@pitsi @ask1234560 I’m investigating a fix for this; in the meantime you should be able to work around it by disabling
#brave-adblock-csp-rulesunderbrave://flags@pitsi the CORS error is not related to brave. CORS or cross origin request sharing error happens when CORS header is not present usually this is done in the backend.
@pitsi This change has been uplifted to the next 1.25.x hotfix release, which is actually scheduled for later today as far as I’m aware.
@kjozwiak I added
QA/Nohere since there’s already aQA/Yeslabel on https://github.com/brave/brave-browser/issues/16283, which is tied to the same PR - feel free to update that if necessaryOkay looked into this. Bisected to a
<html><body><a href="https://duckduckgo.com/">Link</a></body></html>Nightly v1.25.17onwards.https://github.com/brave/brave-browser/compare/v1.25.16...v1.25.17