Few days ago I had an opportunity to trace an issue with iOS Chrome not loading a page. The page with all resources were downloaded properly but Chrome was constantly showing that it's still working on loading page. Result is lack of 'on load' events. Problem only occurred when reloading site. Copying whole content to local static web server didn't replicate the issue so it wasn't the problem of content. I was able to cut whole page and return simple 'hello world' page and it turns out that problem still exist on original webserver and it looks like I had to look deeper - http headers. I had created a sample webserver to show the problem I have found:
import time
import BaseHTTPServer
class HTTPHandler(BaseHTTPServer.BaseHTTPRequestHandler):
def do_POST(s):
length = int(s.headers['Content-Length'])
print length
data = s.rfile.read(length).decode('utf-8')
print data
def do_GET(s):
s.send_response(200)
s.send_header("Content-Security-Policy", "script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; object-src 'self'; img-src 'self' ; media-src 'self'; frame-src 'self'; font-src 'self' ;connect-src 'self'; report-uri '192.168.43.17/report'")
s.send_header("Content-Type", "text/html;charset=UTF-8")
s.end_headers()
s.wfile.write("<html><head><title>hello</title></head><body><p>hello world %s</p></body></html>"% s.path)
if __name__ == '__main__':
server_class = BaseHTTPServer.HTTPServer
httpd = server_class(('192.168.43.17', 80), HTTPHandler)
try:
httpd.serve_forever()
except KeyboardInterrupt:
pass
httpd.server_close()
There is only one not ordinary element here - CSP header which secures site from cross site scripting and give mechanism of reporting security violations. It looks like Chrome is reporting problems - it violates directives:
1) frame-src with uri: chromeinvoke://cd931b8a0ca6aaed193d25b429ee4019
"csp-report":{
"document-uri": "http://192.168.43.17/",
"referrer": "",
"violated-directive": "frame-src 'self'",
"original-policy": "script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; object-src 'self'; img-src 'self' ; media-src 'self'; frame-src 'self'; font-src 'self' ;connect-src 'self'; report-uri '192.168.43.17/report'",
"blocked-uri": "chromeinvoke://cd931b8a0ca6aaed193d25b429ee4019",
"source-file": "http://192.168.43.17/",
"line-number": 1
}
2) connect-src with uri: https://localhost
"csp-report":{
"document-uri": "http://192.168.43.17/",
"referrer": "",
"violated-directive": "connect-src 'self'",
"original-policy": "script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; object-src 'self'; img-src 'self' ; media-src 'self'; frame-src 'self'; font-src 'self' ;connect-src 'self'; report-uri '192.168.43.17/report'",
"blocked-uri": "https://localhost",
"source-file": "http://192.168.43.17/",
"line-number": 1
}
3) violations of frame-src with uri: chromenull://
"csp-report":{
"document-uri": "http://192.168.43.17/",
"referrer": "",
"violated-directive": "frame-src 'self'",
"original-policy": "script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; object-src 'self'; img-src 'self' ; media-src 'self'; frame-src 'self'; font-src 'self' ;connect-src 'self'; report-uri '192.168.43.17/report'",
"blocked-uri": "chromenull://",
"source-file": "http://192.168.43.17/",
"line-number": 21
}
4) frame-src with uri: chromeinvokeimmediate://3726692da42473af155b530fe0e48c61
"csp-report":{
"document-uri": "http://192.168.43.17/",
"referrer": "",
"violated-directive": "frame-src 'self'",
"original-policy": "script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; object-src 'self'; img-src 'self' ; media-src 'self'; frame-src 'self'; font-src 'self' ;connect-src 'self'; report-uri '192.168.43.17/report'",
"blocked-uri": "chromeinvokeimmediate://3726692da42473af155b530fe0e48c61",
"source-file": "http://192.168.43.17/",
"line-number": 2
}
Further investigation shown that:
Issue with reporting internal/plugins url is known, it is already submitted here.
Changing frame-src from 'self' to * solves loading site issue but is lowering security.
Interesting fact is that when switching from anonymous mode to normal I can notice for a short time an iframe:
import time
import BaseHTTPServer
class HTTPHandler(BaseHTTPServer.BaseHTTPRequestHandler):
def do_POST(s):
length = int(s.headers['Content-Length'])
print length
data = s.rfile.read(length).decode('utf-8')
print data
def do_GET(s):
s.send_response(200)
s.send_header("Content-Security-Policy", "script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; object-src 'self'; img-src 'self' ; media-src 'self'; frame-src 'self'; font-src 'self' ;connect-src 'self'; report-uri '192.168.43.17/report'")
s.send_header("Content-Type", "text/html;charset=UTF-8")
s.end_headers()
s.wfile.write("<html><head><title>hello</title></head><body><p>hello world %s</p></body></html>"% s.path)
if __name__ == '__main__':
server_class = BaseHTTPServer.HTTPServer
httpd = server_class(('192.168.43.17', 80), HTTPHandler)
try:
httpd.serve_forever()
except KeyboardInterrupt:
pass
httpd.server_close()
There is only one not ordinary element here - CSP header which secures site from cross site scripting and give mechanism of reporting security violations. It looks like Chrome is reporting problems - it violates directives:
1) frame-src with uri: chromeinvoke://cd931b8a0ca6aaed193d25b429ee4019
"csp-report":{
"document-uri": "http://192.168.43.17/",
"referrer": "",
"violated-directive": "frame-src 'self'",
"original-policy": "script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; object-src 'self'; img-src 'self' ; media-src 'self'; frame-src 'self'; font-src 'self' ;connect-src 'self'; report-uri '192.168.43.17/report'",
"blocked-uri": "chromeinvoke://cd931b8a0ca6aaed193d25b429ee4019",
"source-file": "http://192.168.43.17/",
"line-number": 1
}
2) connect-src with uri: https://localhost
"csp-report":{
"document-uri": "http://192.168.43.17/",
"referrer": "",
"violated-directive": "connect-src 'self'",
"original-policy": "script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; object-src 'self'; img-src 'self' ; media-src 'self'; frame-src 'self'; font-src 'self' ;connect-src 'self'; report-uri '192.168.43.17/report'",
"blocked-uri": "https://localhost",
"source-file": "http://192.168.43.17/",
"line-number": 1
}
3) violations of frame-src with uri: chromenull://
"csp-report":{
"document-uri": "http://192.168.43.17/",
"referrer": "",
"violated-directive": "frame-src 'self'",
"original-policy": "script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; object-src 'self'; img-src 'self' ; media-src 'self'; frame-src 'self'; font-src 'self' ;connect-src 'self'; report-uri '192.168.43.17/report'",
"blocked-uri": "chromenull://",
"source-file": "http://192.168.43.17/",
"line-number": 21
}
4) frame-src with uri: chromeinvokeimmediate://3726692da42473af155b530fe0e48c61
"csp-report":{
"document-uri": "http://192.168.43.17/",
"referrer": "",
"violated-directive": "frame-src 'self'",
"original-policy": "script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; object-src 'self'; img-src 'self' ; media-src 'self'; frame-src 'self'; font-src 'self' ;connect-src 'self'; report-uri '192.168.43.17/report'",
"blocked-uri": "chromeinvokeimmediate://3726692da42473af155b530fe0e48c61",
"source-file": "http://192.168.43.17/",
"line-number": 2
}
Further investigation shown that:
Issue with reporting internal/plugins url is known, it is already submitted here.
Changing frame-src from 'self' to * solves loading site issue but is lowering security.
Interesting fact is that when switching from anonymous mode to normal I can notice for a short time an iframe:
Brak komentarzy:
Prześlij komentarz