RE: New/broken Content Security Policy on drafts.csswg.org?

Sounds like something @Lea Verou should be looking at.



From: Chris Lilley <chris@w3.org>
Sent: Monday, 12 March, 2018 12:37
To: www-style@w3.org
Subject: New/broken Content Security Policy on drafts.csswg.org?


Hi folks,

I'm seeing a new error on drafts.csswg.org today, for documents that worked fine last week:

Content Security Policy: This site (https://drafts.csswg.org) has a Report-Only policy without a report URI. CSP will not block and cannot report violations of this policy.

Followed by lots of console log errors about scripts not loading

Content Security Policy: The page’s settings observed the loading of a resource at self (“script-src”). A CSP report is being sent. Source: try { (function injectPageScriptAPI(scr.... issues:1<https://drafts.csswg.org/issues?spec=css-fonts-3&doc=cr-2017>
Content Security Policy: The page’s settings observed the loading of a resource at https://dev.mavo.io/dist/mavo.css (“style-src”). A CSP report is being sent.
Content Security Policy: The page’s settings observed the loading of a resource at https://dev.mavo.io/dist/mavo.js (“script-src”). A CSP report is being sent.
Content Security Policy: The page’s settings observed the loading of a resource at self (“script-src”). A CSP report is being sent. Source: try { var AG_onLoad=function(func){if(d.... issues:1<https://drafts.csswg.org/issues?spec=css-fonts-3&doc=cr-2017>
local mavo.js:7<https://dev.mavo.io/dist/maps/mavo.js>
Content Security Policy: The page’s settings observed the loading of a resource at https://plugins.mavo.io/yaml/mavo-yaml.js (“script-src”). A CSP report is being sent.
Content Security Policy: The page’s settings observed the loading of a resource at https://plugins.mavo.io/markdown/mavo-markdown.js (“script-src”). A CSP report is being sent.
Content Security Policy: The page’s settings observed the loading of a resource at https://cdnjs.cloudflare.com/ajax/libs/showdown/1.8.2/showdown.min.js (“script-src”). A CSP report is being sent.
Content Security Policy: The page’s settings observed the loading of a resource at https://cdnjs.cloudflare.com/ajax/libs/dompurify/1.0.2/purify.min.js (“script-src”). A CSP report is being sent.
Content Security Policy: The page’s settings observed the loading of a resource at data:image/svg+xml,%3Csvg%20xmlns%3D%22h... (“default-src”). A CSP report is being sent.
Content Security Policy: The page’s settings observed the loading of a resource at self (“script-src”). A CSP report is being sent. Source: call to eval() or related function blocked by CSP. mavoscript.js:382<https://dev.mavo.io/dist/maps/mavoscript.js>
Content Security Policy: The page’s settings observed the loading of a resource at https://api.github.com/repos/w3c/csswg-drafts/contents/css-fonts-3/issues-cr-2017.yaml?timestamp=1520883169754 (“default-src”). A CSP report is being sent.
Content Security Policy: The page’s settings observed the loading of a resource at https://api.github.com/repos/w3c/csswg-drafts/contents/css-fonts-3/issues-cr-2017.yaml?timestamp=1520883169758 (“default-src”). A CSP report is being sent.
Content Security Policy: The page’s settings observed the loading of a resource at https://api.github.com/user?timestamp=1520883169762 (“default-src”). A CSP report is being sent.
Content Security Policy: The page’s settings observed the loading of a resource at https://avatars1.githubusercontent.com/u/2506926?v=4 (“default-src”). A CSP report is being sent.
Content Security Policy: The page’s settings observed the loading of a resource at https://api.github.com/repos/w3c/csswg-drafts?timestamp=1520883170884 (“default-src”). A CSP report is being sent.
Content Security Policy: The page’s settings observed the loading of a resource at https://cdnjs.cloudflare.com/ajax/libs/js-yaml/3.8.3/js-yaml.min.js (“script-src”). A CSP report is being sent.

--

Chris Lilley

@svgeesus

Technical Director @ W3C

W3C Strategy Team, Core Web Design

W3C Architecture & Technology Team, Core Web & Media