1

We recently discovered an interesting bug in newly released Chrome v.39.

It just crashed with standard "Aw Snap!" message on every page with an iframe if that iframe loads a page with Content-Security-Policy HTTP header. This blocked out web-site because we host some third-party ads. From what i found the "Content-Security-Policy" header is a W3C standard and Google Chrome used to support in between v.25 and v.38 releases. But from now they don't.

Does anyone know a nice practical solution for this issue? Is there a way to prevent Chrome from crashing without this workaround?

YoMan78
  • 1,307
  • 2
  • 9
  • 15
  • I can assure it is well supported in chrome 39, else github wouldn't work. I haven't seen any correlation between CSP and "aw snap" pages. Can you provide a link? Provide the policy being used? Provide console output if there is any? I'd be more inclined to blame the content of the 3rd party ads than the header – oreoshake Nov 21 '14 at 19:51
  • OK let me paraphrase: i don't have any evidences that Chrome officially stopped supporting this "Content-Security-Policy" header. What i'm saying is that it fails to display/render a page which has iframe which get such header in HTTP response. – YoMan78 Nov 24 '14 at 11:12
  • My test case is quite simple: load the absolutely identical (binary comparation) content from 2 different URLs where first sets the "Content-Security-Policy" header and the second doesn't. The embedding page crashes for the scenario _with_ that header and doesn't crash _without_ it. It might be a combination of content and header but i'd leave this for Google engineers to figure out. – YoMan78 Nov 24 '14 at 11:25
  • If you can put a test case up on the web, we can certainly file an issue with the Chromium folk. If you don't want to do this, I may get to it eventually. They are very responsive :) – oreoshake Nov 24 '14 at 18:00
  • Make sense. First we observed this behaviour in production site so had no chance to capture too much logs. I'll try to re-create a test case later this week or over WE. Agreed, really interesting case! – YoMan78 Nov 25 '14 at 18:22
  • This may or may not be fixed now: http://mashable.com/2014/12/03/vine-embeds-crash-chrome/ I think this is the bug you are discussing – oreoshake Dec 03 '14 at 23:50
  • oreoshake, yes i believe that's the case. – YoMan78 Dec 05 '14 at 07:22

2 Answers2

1

If you want support Chrome 39/40, I found that adding the protocol in front of domain would prevent the crash (It's not required in CSP 2.0, but it's better than crash).

If you want support Chrome 41, it didn't crash even without protocol name.

Hope this helps.

Yao
  • 11
  • 1
0

In order to fix the issue we had to add a logic that sends X-Content-Security-Policy to all but IE and Content-Security-Policy to IE only. This is ugly code/solution but at least it stopped crashing.

YoMan78
  • 1,307
  • 2
  • 9
  • 15