lighthouse
lighthouse copied to clipboard
CSP audit does not recognize the `navigate-to` directive
FAQ
- [X] Yes, my issue is not about variability or throttling.
- [X] Yes, my issue is not about a specific accessibility audit (file with axe-core instead).
URL
https://seirdy.one
What happened?
The CSP-XSS audit contains the following result:
"items": [
{
"severity": "Syntax",
"description": {
"type": "code",
"value": "default-src 'none'; img-src 'self' data:; style-src 'sha256-c7tfd/i7WbwPTbxi2MfuSn2JRsea7zAQwNbEPKDAoUk='; style-src-attr 'none'; frame-ancestors 'none'; base-uri 'none'; form-action 'none'; manifest-src 'self'; upgrade-insecure-requests; navigate-to 'none'"
},
"subItems": {
"type": "subitems",
"items": [
{
"directive": "navigate-to",
"description": "Unknown CSP directive."
}
]
}
}
]
What did you expect?
I expected the CSP to be valid, as navigate-to
is a valid CSP directive documented in the spec for CSP Level 3, written largely by the Chrome team.
What have you tried?
No response
How were you running Lighthouse?
CLI
Lighthouse Version
8.5.1
Chrome Version
96.0.4659.0 (Developer Build) (64-bit), revision 927069
Node Version
v14.17.6
Relevant log output
No response
A few more points:
- Google's CSP Evaluator tool has the same issue
- I temporarily turned off the
sandbox
directive on my website to run this test, since Lighthouse can't run on a site with a restrictivesandbox
directive; it won't be possible to replicate the results when I re-enable this directive, but it can be reproduced on any site that sends a CSP with anavigate-to
directive.
ในวันที่ ส. 2 ต.ค. 2021 08:55 น. Rohan Kumar @.***> เขียนว่า:
A few more points:
- Google's CSP Evaluator tool has the same issue
- I temporarily turned off the sandbox directive on my website to run this test, but it can be reproduced on any site that sends a CSP with a navigate-to directive.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/GoogleChrome/lighthouse/issues/13164#issuecomment-932661279, or unsubscribe https://github.com/notifications/unsubscribe-auth/APZGLUX4ZTNT42GX2GXFEHTUEZQ7RANCNFSM5FF2CXWQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
ในวันที่ ส. 2 ต.ค. 2021 08:53 น. Rohan Kumar @.***> เขียนว่า:
FAQ
- Yes, my issue is not about variability https://github.com/GoogleChrome/lighthouse/blob/master/docs/variability.md or throttling https://github.com/GoogleChrome/lighthouse/blob/master/docs/throttling.md .
- Yes, my issue is not about a specific accessibility audit (file with axe-core https://github.com/dequelabs/axe-core instead).
URL
https://seirdy.one What happened?
The CSP-XSS audit contains the following result:
"items": [ { "severity": "Syntax", "description": { "type": "code", "value": "default-src 'none'; img-src 'self' data:; style-src 'sha256-c7tfd/i7WbwPTbxi2MfuSn2JRsea7zAQwNbEPKDAoUk='; style-src-attr 'none'; frame-ancestors 'none'; base-uri 'none'; form-action 'none'; manifest-src 'self'; upgrade-insecure-requests; navigate-to 'none'" }, "subItems": { "type": "subitems", "items": [ { "directive": "navigate-to", "description": "Unknown CSP directive." } ] } } ]
What did you expect?
I expected the CSP to be valid, as navigate-to is a valid CSP directive documented in the spec for CSP Level 3 https://www.w3.org/TR/CSP3/#directive-navigate-to, written largely by the Chrome team. What have you tried?
No response How were you running Lighthouse?
CLI Lighthouse Version
8.5.1 Chrome Version
96.0.4659.0 (Developer Build) (64-bit), revision 927069 Node Version
v14.17.6 Relevant log output
No response
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/GoogleChrome/lighthouse/issues/13164, or unsubscribe https://github.com/notifications/unsubscribe-auth/APZGLUXHQJQ7JPARKPAOSYTUEZQZBANCNFSM5FF2CXWQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
Looks like this is an open bug on CSP evaluator https://github.com/google/csp-evaluator/issues/34
On Mon, Oct 04, 2021 at 12:25:00PM -0700, Adam Raine wrote:
Looks like this is an open bug on CSP evaluator https://github.com/google/csp-evaluator/issues/34
The bug was just closed; the master branch of CSP-evaluator now understands the "navigate-to" and "webrtc" CSPv3 diectives.
-- Seirdy (https://seirdy.one)
Yeah, I'll ping for an npm release