Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Lighthouse broken when CSP connect-src 'none' #4386

Open
laukstein opened this issue Jan 30, 2018 · 4 comments
Open

Lighthouse broken when CSP connect-src 'none' #4386

laukstein opened this issue Jan 30, 2018 · 4 comments

Comments

@laukstein
Copy link

@laukstein laukstein commented Jan 30, 2018

Chrome v64 DEV Tools Audits hangs forever without returning result.
Lighthouse v2.8.0 extension would throw error:

VM204:5 Refused to connect to 'http://example.com/' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.

__nativePromise.resolve.then._ @ VM204:5
Promise.then (async)
(anonymous) @ VM204:5
wrapInNativePromise @ VM204:3
(anonymous) @ VM204:21
VM204:5 Refused to connect to 'http://example.com/' because it violates the document's Content Security Policy.

Content-Security-Policy: default-src 'none'; connect-src 'self' would solve the issue, but I think Lighthouse mustn't break and depend on connect-src 'self'.

Once was open related issue #2319

@laukstein

This comment has been minimized.

Copy link
Author

@laukstein laukstein commented Jul 23, 2018

The same error also in getRobotsTxtContent (Lighthouse v3.0.3) resulting "robots.txt is not valid"

Lighthouse was unable to download your robots.txt file

Refused to connect to 'https://example.com/robots.txt' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.

getRobotsTxtContent @ VM1773:7
__nativePromise.resolve.then._ @ VM1773:17
Promise.then (async)
(anonymous) @ VM1773:5
wrapInNativePromise @ VM1773:3
(anonymous) @ VM1773:31

grabilla g10024

@laukstein

This comment has been minimized.

Copy link
Author

@laukstein laukstein commented Mar 16, 2019

Any ETA when this will be fixed.
https://web.dev/measure breaks on same error showing invalid message

grabilla em5576

You mustn't say the error is in customer side when actually is Lighthouse incompatibility bug.

@patrickhulce

This comment has been minimized.

Copy link
Collaborator

@patrickhulce patrickhulce commented Mar 16, 2019

No ETA, this requires fetching outside the context of the page which is not something Lighthouse can do in most environments at the moment.

thestinger added a commit to GrapheneOS/grapheneos.org that referenced this issue May 5, 2019
This reverts commit d30566d.

This is needed by Lighthouse, and it's worth making a harmless exception
for it to work properly.

GoogleChrome/lighthouse#4386
thestinger added a commit to GrapheneOS/grapheneos.org that referenced this issue May 5, 2019
This reverts commit d30566d.

This is needed by Lighthouse, and it's worth making a harmless exception
for it to work properly.

GoogleChrome/lighthouse#4386
thestinger added a commit to GrapheneOS/grapheneos.org that referenced this issue May 5, 2019
This reverts commit d30566d.

This is needed by Lighthouse to fetch robots.txt and it's worth making a
harmless exception for it to work properly.

GoogleChrome/lighthouse#4386
hectorm added a commit to hectorm/hblock that referenced this issue Aug 6, 2019
runar added a commit to runar/runar.st that referenced this issue Nov 8, 2019
Setting connect-src to 'self' solves the issue reported here:
GoogleChrome/lighthouse#4386

This commit also adds a report uri to monitor the CSP.
@connorjclark

This comment has been minimized.

Copy link
Collaborator

@connorjclark connorjclark commented Jan 7, 2020

#9459 would help?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants
You can’t perform that action at this time.