Reputation: 1307
Chrome v. 39 and Content-Security-Policy HTTP header
We recently discovered an interesting bug in newly released Chrome v.39.
It just crashed with standard "Aw Snap!" message on every page with an iframe if that iframe loads a page with Content-Security-Policy HTTP header. This blocked out web-site because we host some third-party ads. From what i found the "Content-Security-Policy" header is a W3C standard and Google Chrome used to support in between v.25 and v.38 releases. But from now they don't.
Does anyone know a nice practical solution for this issue? Is there a way to prevent Chrome from crashing without this workaround?
Upvotes: 1
Views: 516
Answers (2)
Reputation: 11
If you want support Chrome 39/40, I found that adding the protocol in front of domain would prevent the crash (It's not required in CSP 2.0, but it's better than crash).
If you want support Chrome 41, it didn't crash even without protocol name.
Hope this helps.
Upvotes: 1
Reputation: 1307
In order to fix the issue we had to add a logic that sends X-Content-Security-Policy to all but IE and Content-Security-Policy to IE only. This is ugly code/solution but at least it stopped crashing.
Upvotes: 0
Related Questions
- Disable-web-security in Chrome 48+
- Chrome not reporting CSP violations
- Does --disable-web-security work in Chrome?
- is Content Security Policy 'unsafe-inline' deprecated?
- Why doesn't Chrome respect my Content Security Policy hashes?
- Missing content security policy header - issue with chrome and firefox
- Content-Security-Policy errors in Firefox and Chrome
- Content Security Policy ignored by Latest Chrome Update
- Chrome 63 seems to ignore or break on worker-src CSP headers
- Issue With Content Security Policy in Chrome Extension