Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lighthouse broken when CSP connect-src 'none' #4386

Closed
laukstein opened this issue Jan 30, 2018 · 11 comments
Closed

Lighthouse broken when CSP connect-src 'none' #4386

laukstein opened this issue Jan 30, 2018 · 11 comments
Labels
DevTools P1.5 upstream-action-required

Comments

@laukstein
Copy link

laukstein commented Jan 30, 2018
edited
Loading

Chrome v64 DEV Tools Audits hangs forever without returning result.
Lighthouse v2.8.0 extension would throw error:

VM204:5 Refused to connect to 'http://example.com/' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.

__nativePromise.resolve.then._ @ VM204:5
Promise.then (async)
(anonymous) @ VM204:5
wrapInNativePromise @ VM204:3
(anonymous) @ VM204:21
VM204:5 Refused to connect to 'http://example.com/' because it violates the document's Content Security Policy.

Content-Security-Policy: default-src 'none'; connect-src 'self' would solve the issue, but I think Lighthouse mustn't break and depend on connect-src 'self'.

Once was open related issue #2319
@laukstein
Copy link
Author

The same error also in getRobotsTxtContent (Lighthouse v3.0.3) resulting "robots.txt is not valid"

Lighthouse was unable to download your robots.txt file

Refused to connect to 'https://example.com/robots.txt' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.

getRobotsTxtContent @ VM1773:7
__nativePromise.resolve.then._ @ VM1773:17
Promise.then (async)
(anonymous) @ VM1773:5
wrapInNativePromise @ VM1773:3
(anonymous) @ VM1773:31

grabilla g10024

@laukstein
Copy link
Author

Any ETA when this will be fixed.
https://web.dev/measure breaks on same error showing invalid message

grabilla em5576

You mustn't say the error is in customer side when actually is Lighthouse incompatibility bug.

@laukstein laukstein mentioned this issue Mar 16, 2019
Closed
@patrickhulce
Copy link
Collaborator

No ETA, this requires fetching outside the context of the page which is not something Lighthouse can do in most environments at the moment.

thestinger added a commit to GrapheneOS/grapheneos.org that referenced this issue May 5, 2019
@thestinger
add back connect-src 'self' for Lighthouse
302fa15 
This reverts commit d30566d.

This is needed by Lighthouse to fetch robots.txt and it's worth making a
harmless exception for it to work properly.

GoogleChrome/lighthouse#4386
@patrickhulce patrickhulce mentioned this issue May 18, 2019
Closed
hectorm added a commit to hectorm/hblock that referenced this issue Aug 6, 2019
@hectorm
Added "connect-src 'self'" CSP rule.
a74ac7e 
Workaround for GoogleChrome/lighthouse#4386
@connorjclark
Copy link
Collaborator

connorjclark commented Jan 7, 2020
edited
Loading

#9459 would help?

@connorjclark connorjclark mentioned this issue Feb 27, 2020
Merged
@lukiffer
Copy link

It took a while to discover this issue and FWIW, a more descriptive error message would be helpful when the CSP blocks the request as opposed to an HTTP error response.

At a minimum, it would be helpful to add to the documentation for this check under "Common errors include:"

@patrickhulce patrickhulce mentioned this issue Aug 12, 2020
Closed
@martinburger martinburger mentioned this issue Oct 2, 2020
Closed
@Seirdy Seirdy mentioned this issue Dec 13, 2020
Closed
@patrickhulce patrickhulce added P1.5 and removed P2 labels Apr 19, 2021
@patrickhulce
Copy link
Collaborator

patrickhulce commented Jun 15, 2021
edited
Loading

This has been fixed by #12423 🎉 (requires Chrome 92)

@jitendravyas
Copy link

I am on chrome canary 93 and still having this issue

@adamraine
Copy link
Member

@jitendravyas do you have a public URL you can share?

@jitendravyas
Copy link

jitendravyas commented Jun 21, 2021 via email

@adamraine
Copy link
Member

The issues reported in Lighthouse are related to SameSite cookie, not CSP. They are hidden by default in the DevTools issues panel:

Screen Shot 2021-06-21 at 1 35 29 PM

You can show them by clicking the "Include third-party cookie issues" checkbox.

@Seirdy Seirdy mentioned this issue Jun 30, 2021
Open
@bogdy
Copy link

bogdy commented Oct 28, 2022
edited
Loading

just add ["connect-src 'self'" CSP rule. I have tested for https://bogdanbiris.com

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
DevTools P1.5 upstream-action-required
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@jitendravyas @laukstein @vinamratasingal-zz @bogdy @lukiffer @patrickhulce @connorjclark @exterkamp @adamraine