Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Content Security Policy error in XML parsing in Chrome
See original GitHub issue- Package Name: azure/core
- Package Version: Unknown, but code introduced in https://github.com/Azure/azure-sdk-for-js/commit/d1bc00b00199f0bebcb52d064b7a12df90436c8e#diff-9e0e581981750681d3bfa10a039c1cae8e0aaba5193c40352eec62a20d3b6660R20
- Operating system: All
- nodejs
- version:
- browser
- name/version: Google Chrome 86.0 (released October 6th) and later
- typescript
- version:
- Is the bug related to documentation in
- README.md
- source code documentation
- SDK API docs on https://docs.microsoft.com
Describe the bug
The Azure SDK for JavaScript includes a utility module for XML parsing. As part of initializing the module, it attempts to parse an invalid XML string at https://github.com/Azure/azure-sdk-for-js/blob/0f1c73f76331d23efb61c9f636ee2d2338b8e113/sdk/core/core-http/src/util/xml.browser.ts#L35
In most browsers, this returns a document containing a <parseerror> element describing the error. The error document contains inline styles which the browser interprets. In version 86.0 and newer of Chrome (https://bugs.chromium.org/p/chromium/issues/detail?id=1148221), the error document inherits the Content Security Policy from the owner document. Therefore, on pages with a Content Security Policy with a style-src directive not including unsafe-inline, Azure SDK for JavaScript causes a CSP error to be reported and shown in the console.
To Reproduce Steps to reproduce the behavior:
- Set up a page with a Content Security Policy with a
style-srcdirective not containingunsafe-inline, for examplestyle-src: 'self'. - Load the Azure SDK for JavaScript.
- Open page in Google Chrome version 86.0 or newer.
- Look for Content Security Policy error in console.
Expected behavior No Content Security Policy error should be shown in the console.
Screenshots
Additional context I’m unsure if and when the issue in Chrome will be fixed. Until it is fixed, the XML parser module will necessarily cause a Content Security Policy error when parsing an invalid XML string on sites with the relevant policy. However, since XML parsing errors are likely not expected during normal usage of the library, it would still be beneficial to prevent the CSP error on load to save developer effort in debugging it.
Potential fixes could be to:
- Lazily testing for browser behavior when first parsing error is encountered, instead of at module load.
- Removing the check for browser behavior completely and always querying for the
parsererrorelement, even in Internet Explorer.
Issue Analytics
- State:
- Created 3 years ago
- Comments:8 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
This has been published in @azure/core-http v1.2.3
Yes, this is exactly the same as I planned to do. Also thanks for the code snippets @kimsey0!