CSP audit does not recognize the `navigate-to` directive
See original GitHub issueFAQ
- Yes, my issue is not about variability or throttling.
- Yes, my issue is not about a specific accessibility audit (file with axe-core instead).
URL
What happened?
The CSP-XSS audit contains the following result:
"items": [
{
"severity": "Syntax",
"description": {
"type": "code",
"value": "default-src 'none'; img-src 'self' data:; style-src 'sha256-c7tfd/i7WbwPTbxi2MfuSn2JRsea7zAQwNbEPKDAoUk='; style-src-attr 'none'; frame-ancestors 'none'; base-uri 'none'; form-action 'none'; manifest-src 'self'; upgrade-insecure-requests; navigate-to 'none'"
},
"subItems": {
"type": "subitems",
"items": [
{
"directive": "navigate-to",
"description": "Unknown CSP directive."
}
]
}
}
]
What did you expect?
I expected the CSP to be valid, as navigate-to
is a valid CSP directive documented in the spec for CSP Level 3, written largely by the Chrome team.
What have you tried?
No response
How were you running Lighthouse?
CLI
Lighthouse Version
8.5.1
Chrome Version
96.0.4659.0 (Developer Build) (64-bit), revision 927069
Node Version
v14.17.6
Relevant log output
No response
Issue Analytics
- State:
- Created 2 years ago
- Comments:6 (2 by maintainers)
Top Results From Across the Web
Validate CSP directives · Issue #325 - GitHub
I read it as data: should not be used in the script-src , object-src and default-src directive. Would it make sense to only...
Read more >Content Security Policy Level 3 - W3C
The frame-src directive, which was deprecated in CSP Level 2, has been undeprecated, but continues to defer to child-src if not present (which ......
Read more >CSP 'navigate-to' directive - Chrome Platform Status
If the form-action directive is present, the navigate-to directive will not act on navigations that are form submissions.
Read more >Frequently Asked Questions About CSP | Using Caché Server ...
Answer: The web server must be configured to serve .js files through the CSP Gateway. This is not done by the Caché installer,...
Read more >1529068 - Implement CSP 'navigate-to' directive
We need to implement the CSP3 'navigate-to' directive, which limits the targets of any navigation (<a>, <form>, window.open(), window.location, etc.
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Yeah, I’ll ping for an npm release
On Mon, Oct 04, 2021 at 12:25:00PM -0700, Adam Raine wrote:
The bug was just closed; the master branch of CSP-evaluator now understands the “navigate-to” and “webrtc” CSPv3 diectives.
– Seirdy (https://seirdy.one)