Service Worker is blocking CSP violation reports
See original GitHub issueπ bug report
Affected Package
The issue is caused by package @angular/service-workerIs this a regression?
UnknownDescription
My page includes a CSP (Content Security Policy) violation. The header specifies a reportURI. When the browser attempts to send the violation report that request is handled by the service worker. The service worker fails to send the report with this error:Fetch API cannot load https://mikvah.report-uri.com/r/d/csp/reportOnly. Request mode is "no-cors" but the redirect mode is not "follow". (anonymous) @ ngsw-worker.js:2709
π¬ Minimal Reproduction
Have a webserver serve an application that creates a CSP violation, for example send a header like: `content-security-policy-report-only: img-src www.permitted.com; report-uri https://a-diffefrent-domain.com/r/d/csp/reportOnlyβ
and include an img tag for an image from a different domain (aside from permitted.com)
Ensure that your Angular setup creates a service worker.
Open the page, triggering a violation and a report.
π₯ Exception or Error
Fetch API cannot load https://mikvah.report-uri.com/r/d/csp/reportOnly. Request mode is "no-cors" but the redirect mode is not "follow".
(anonymous) @ ngsw-worker.js:2709
π Your Environment
Angular Version:
_ _ ____ _ ___
/ \ _ __ __ _ _ _| | __ _ _ __ / ___| | |_ _|
/ β³ \ | '_ \ / _` | | | | |/ _` | '__| | | | | | |
/ ___ \| | | | (_| | |_| | | (_| | | | |___| |___ | |
/_/ \_\_| |_|\__, |\__,_|_|\__,_|_| \____|_____|___|
|___/
Angular CLI: 8.1.0
Node: 10.15.3
OS: darwin x64
Angular: 8.1.0
... animations, cli, common, compiler, compiler-cli, core, forms
... language-service, platform-browser, platform-browser-dynamic
... platform-server, router, service-worker
Package Version
-----------------------------------------------------------
@angular-devkit/architect 0.801.0
@angular-devkit/build-angular 0.801.0
@angular-devkit/build-optimizer 0.801.0
@angular-devkit/build-webpack 0.801.0
@angular-devkit/core 8.1.0
@angular-devkit/schematics 8.1.0
@angular/pwa 0.801.0
@ngtools/webpack 8.1.0
@schematics/angular 8.1.0
@schematics/update 0.801.0
rxjs 6.5.2
typescript 3.4.5
webpack 4.35.2
Anything else relevant?
Google Chrome Version 75.0.3770.100
Issue Analytics
- State:
- Created 4 years ago
- Reactions:3
- Comments:8 (6 by maintainers)
Top Results From Across the Web
CSP errors and warnings (Content Security Policy) - HTTP
CSP will not block and cannot report violations of this policy. Failed to parse unrecognized source %1$S; An attempt to execute inline scriptsΒ ......
Read more >How to fix 'because it violates the following content security ...
Blocked by Content Security Policy. 'csp error because it violates the following content security policy directive'. Content Security Policy error message.
Read more >Monitor Content Security Policy Violations With Datadog
If there is an attempt to load a blocked resource, it results in what is known as a CSP violation. CSP reporting provides...
Read more >Test of CSP: worker-src browsers support
Despite the fact that workers 1. and 2. are formally created, CSP do block them. The browser sends 2 violation reports and displays...
Read more >Content Security Policy Level 3 - W3C
Given a request ( request ), this algorithm returns Blocked or Allowed and reports violations based on request 's policy container's CSP list....
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Ran into the same issue. βFixedβ it by bypassing the service worker for the CSP reporting uri. Angular provides a way to do this by adding a query parameter. Add the
ngsw-bypass
query parameters to the CSP report-uri directive:report-uri https://mikvah.report-uri.com/r/d/csp/reportOnly?ngsw-bypass=true
It would help with investigating this if we could get our hands on a minimal reproduction π
(Note to self: Might be related to #31330 or #24227.)