Amphtml: https://cdn.ampproject.org CSP prevent a worker from creating when use amp-bind

Created on 12 May 2017  路  6Comments  路  Source: ampproject/amphtml 
amp-worker.js:91 Refused to create a worker from 'blob:https://cdn.ampproject.org/b7f6ed9c-4432-409f-b57c-047335b9daba' because it violates the following Content Security Policy directive: "script-src https://cdn.ampproject.org/rtv/ https://cdn.ampproject.org/v0.js https://cdn.ampproject.org/v0/ https://cdn.ampproject.org/viewer/". Note that 'worker-src' was not explicitly set, so 'script-src' is used as a fallback.

error.js:137 Failed to construct 'Worker': Access to the script at 'blob:https://cdn.ampproject.org/b7f6ed9c-4432-409f-b57c-047335b9daba' is denied by the document's Content Security Policy.
Hd @ error.js:137
(anonymous) @ error.js:193
amp-worker.js:91 Uncaught (in promise) DOMException: Failed to construct 'Worker': Access to the script at 'blob:https://cdn.ampproject.org/b7f6ed9c-4432-409f-b57c-047335b9daba' is denied by the document's Content Security Policy.
    at https://cdn.ampproject.org/rtv/011494446565961/v0/amp-bind-0.1.js:84:217
    at <anonymous>

What's the issue?

amp-bind not work in page served by cdn.ampproject.org

How do we reproduce the issue?

  1. visit https://cdn.ampproject.org/c/s/m.aliexpress.com/amp/item/32608337089.html
  2. and you can see the error from console

image

Externally Tracked High Priority
Source
picture echopi

All 6 comments

Looks like this issue only shows up on Chrome Canary... Chrome Production works without a problem.

micyeung picture micyeung on 12 May 2017
👍1

Strange, since script-src is not supposed to be a fallback directive for worker-src:

If this directive is absent, the user agent will look for the child-src directive (which falls back to the default-src directive).

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/worker-src

I'll reach out to the Chrome team.

choumx picture choumx on 12 May 2017

This was a recent change in W3C: https://github.com/w3c/webappsec-csp/issues/146 and https://github.com/w3c/web-platform-tests/pull/5175

choumx picture choumx on 12 May 2017
👍1

AMP Cache CSP change: cl/156356007

choumx picture choumx on 18 May 2017

AMP Cache change submitted, we added script-src blob: to CSP.

/cc @dknecht FYI

choumx picture choumx on 18 May 2017

Had that problem today adding script-src blob: to my CSP didn't work, worker-src blob: did work, I guess Google Chrome still hasn't done a proper fallback yet.

ghost picture ghost on 18 Jun 2019
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

mrjoro picture mrjoro  路  3Comments
mkhatib picture mkhatib  路  3Comments
Download picture Download  路  3Comments
sryze picture sryze  路  3Comments
edhollinghurst picture edhollinghurst  路  3Comments