W3C home > Mailing lists > Public > www-style@w3.org > March 2018

New/broken Content Security Policy on drafts.csswg.org?

From: Chris Lilley <chris@w3.org>
Date: Mon, 12 Mar 2018 15:36:49 -0400
To: "www-style@w3.org" <www-style@w3.org>
Message-ID: <a95f0540-8a6b-1ea5-f167-630498ea599e@w3.org>
Hi folks,

I'm seeing a new error on drafts.csswg.org today, for documents that 
worked fine last week:

Content Security Policy: This site (https://drafts.csswg.org) has a 
Report-Only policy without a report URI. CSP will not block and cannot 
report violations of this policy.

Followed by lots of console log errors about scripts not loading


Content Security Policy: The page’s settings observed the loading of a 
resource at self (“script-src”). A CSP report is being sent. Source: try 
{ (function injectPageScriptAPI(scr.... issues:1 
<https://drafts.csswg.org/issues?spec=css-fonts-3&doc=cr-2017>

Content Security Policy: The page’s settings observed the loading of a 
resource at https://dev.mavo.io/dist/mavo.css (“style-src”). A CSP 
report is being sent.
Content Security Policy: The page’s settings observed the loading of a 
resource at https://dev.mavo.io/dist/mavo.js (“script-src”). A CSP 
report is being sent.
Content Security Policy: The page’s settings observed the loading of a 
resource at self (“script-src”). A CSP report is being sent. Source: try 
{ var AG_onLoad=function(func){if(d.... issues:1 
<https://drafts.csswg.org/issues?spec=css-fonts-3&doc=cr-2017>
local mavo.js:7 <https://dev.mavo.io/dist/maps/mavo.js>
Content Security Policy: The page’s settings observed the loading of a 
resource at https://plugins.mavo.io/yaml/mavo-yaml.js (“script-src”). A 
CSP report is being sent.
Content Security Policy: The page’s settings observed the loading of a 
resource at https://plugins.mavo.io/markdown/mavo-markdown.js 
(“script-src”). A CSP report is being sent.
Content Security Policy: The page’s settings observed the loading of a 
resource at 
https://cdnjs.cloudflare.com/ajax/libs/showdown/1.8.2/showdown.min.js 
(“script-src”). A CSP report is being sent.
Content Security Policy: The page’s settings observed the loading of a 
resource at 
https://cdnjs.cloudflare.com/ajax/libs/dompurify/1.0.2/purify.min.js 
(“script-src”). A CSP report is being sent.
Content Security Policy: The page’s settings observed the loading of a 
resource at data:image/svg+xml,%3Csvg%20xmlns%3D%22h... (“default-src”). 
A CSP report is being sent.
Content Security Policy: The page’s settings observed the loading of a 
resource at self (“script-src”). A CSP report is being sent. Source: 
call to eval() or related function blocked by CSP. mavoscript.js:382 
<https://dev.mavo.io/dist/maps/mavoscript.js>
Content Security Policy: The page’s settings observed the loading of a 
resource at 
https://api.github.com/repos/w3c/csswg-drafts/contents/css-fonts-3/issues-cr-2017.yaml?timestamp=1520883169754 
(“default-src”). A CSP report is being sent.
Content Security Policy: The page’s settings observed the loading of a 
resource at 
https://api.github.com/repos/w3c/csswg-drafts/contents/css-fonts-3/issues-cr-2017.yaml?timestamp=1520883169758 
(“default-src”). A CSP report is being sent.
Content Security Policy: The page’s settings observed the loading of a 
resource at https://api.github.com/user?timestamp=1520883169762 
(“default-src”). A CSP report is being sent.
Content Security Policy: The page’s settings observed the loading of a 
resource at https://avatars1.githubusercontent.com/u/2506926?v=4 
(“default-src”). A CSP report is being sent.
Content Security Policy: The page’s settings observed the loading of a 
resource at 
https://api.github.com/repos/w3c/csswg-drafts?timestamp=1520883170884 
(“default-src”). A CSP report is being sent.
Content Security Policy: The page’s settings observed the loading of a 
resource at 
https://cdnjs.cloudflare.com/ajax/libs/js-yaml/3.8.3/js-yaml.min.js 
(“script-src”). A CSP report is being sent.

-- 
Chris Lilley
@svgeesus
Technical Director @ W3C
W3C Strategy Team, Core Web Design
W3C Architecture & Technology Team, Core Web & Media
Received on Monday, 12 March 2018 19:36:53 UTC

This archive was generated by hypermail 2.4.0 : Friday, 25 March 2022 10:09:10 UTC