Some 500 responses to /_/csp-violation

[shane-tomlinson]

From Kibana:

Nothing stands out to me that would cause an exception with the route.

Attaching a heart to this because 500 responses cause stress, spurious ones even more so.

[philbooth]

Not sure how likely it is in reality, but the thing that stands out to me is dereferencing report without checking whether it was in in the request body. If it's not set for any reason we should return a 400 error.

[shane-tomlinson]

Not sure how likely it is in reality, but the thing that stands out to me is dereferencing report without checking whether it was in in the request body.

I initially thought that too until I noticed the line that checks whether the request is well-formatted.

Does returning false cause a 500?

[vladikoff]

We already do res.json({result: 'ok'}); so either this error happened when the content server was updating / down or the request was malformed in such a way that Express was not able to process it properly (could be the size of the request)

[vladikoff]

need to check the kibana dashboard to see how many of these we are getting

[jrgm]

Yeah, see the other bug. String.length !== String "byteLength".

[vladikoff]

trigger a csp warning with a script sample that has unicode characters.
dxr has code that truncates the script sample.

[vladikoff]

from mtg: on the server we can parse the content and not use the bodyParser.

[jrgm]

I think there is a fix for this pending in Gecko - https://bugzilla.mozilla.org/show_bug.cgi?id=1307321

[shane-tomlinson]

Closing as "this is firefox's fault"