Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSP and other errors reported in the console for CSS mask-type article's EmbedLiveSample iframes #9350

Open
daiplusplus opened this issue Jun 23, 2023 · 5 comments
Open

CSP and other errors reported in the console for CSS mask-type article's EmbedLiveSample iframes #9350

daiplusplus opened this issue Jun 23, 2023 · 5 comments
Assignees
@caugner
Labels
🐛 bug Something isn't working, or isn't working as expected CSP Problems caused by Content-Security-Policy idle p2 We want to address this but may have other higher priority items.

Comments

@daiplusplus
Copy link

daiplusplus commented Jun 23, 2023
edited
Loading

MDN URL

https://developer.mozilla.org/en-US/docs/Web/CSS/mask-type

What specific section or headline is this issue about?

Both example runner iframes

What information was incorrect, unhelpful, or incomplete?

  • Neither examples ("Setting an alpha mask" and "Setting a luminance mask") load in Chrome 114 nor Firefox 114.
  • Chrome's browser console reports these errors:
00:01:59.108 runner.html:1 The source list for the Content Security Policy directive 'style-src' contains an invalid source: '"self"'. It will be ignored.
00:01:59.108 runner.html:1 The source list for the Content Security Policy directive 'style-src' contains an invalid source: '"self"'. It will be ignored.
00:01:59.116 runner.html:1 The source list for the Content Security Policy directive 'style-src' contains an invalid source: '"self"'. It will be ignored.
00:01:59.146 mask-type:1 Clear-Site-Data header on 'https://live.mdnplay.dev/en-US/docs/Web/CSS/mask-type/runner.html?id=setting_an_alpha_mask': Unrecognized type: "*".
00:01:59.146 mask-type:1 Clear-Site-Data header on 'https://live.mdnplay.dev/en-US/docs/Web/CSS/mask-type/runner.html?id=setting_an_alpha_mask': No recognized types specified.
00:01:59.146 mask-type:1 Clear-Site-Data header on 'https://live.mdnplay.dev/en-US/docs/Web/CSS/mask-type/runner.html?id=setting_a_luminance_mask': Unrecognized type: "*".
00:01:59.146 mask-type:1 Clear-Site-Data header on 'https://live.mdnplay.dev/en-US/docs/Web/CSS/mask-type/runner.html?id=setting_a_luminance_mask': No recognized types specified.

Firefox's browser console reports these as warnings, not errors, and unlike Chrome, Firefox loads the iframe's content, but doesn't render it: we just see empty white boxes (screenshot below):

00:02:40.479
Content-Security-Policy warnings 2
00:02:40.479 Content Security Policy: Ignoring ‘unsafe-eval’ or ‘wasm-unsafe-eval’ inside “script-src-elem”. [runner.html](https://live.mdnplay.dev/en-US/docs/Web/CSS/mask-type/runner.html?id=setting_a_luminance_mask)
00:02:40.479 Content Security Policy: Couldn’t parse invalid host "self" [runner.html](https://live.mdnplay.dev/en-US/docs/Web/CSS/mask-type/runner.html?id=setting_a_luminance_mask)
00:02:40.531
Content-Security-Policy warnings 2
00:02:40.531 Content Security Policy: Ignoring ‘unsafe-eval’ or ‘wasm-unsafe-eval’ inside “script-src-elem”. [runner.html](https://live.mdnplay.dev/en-US/docs/Web/CSS/mask-type/runner.html?id=setting_an_alpha_mask)
00:02:40.531 Content Security Policy: Couldn’t parse invalid host "self" [runner.html](https://live.mdnplay.dev/en-US/docs/Web/CSS/mask-type/runner.html?id=setting_an_alpha_mask)
00:02:40.538 Partitioned cookie or storage access was provided to “https://live.mdnplay.dev/en-US/docs/Web/CSS/mask-type/runner.html?id=setting_a_luminance_mask” because it is loaded in the third-party context and dynamic state partitioning is enabled.

00:02:40.538 Partitioned cookie or storage access was provided to “https://live.mdnplay.dev/en-US/docs/Web/CSS/mask-type/runner.html?id=setting_an_alpha_mask” because it is loaded in the third-party context and dynamic state partitioning is enabled.

image

What did you expect to see?

I expected the samples to load.

Do you have any supporting links, references, or citations?

No response

Do you have anything more you want to share?

No response

MDN metadata

Page report details
@daiplusplus daiplusplus added the needs triage Triage needed by staff and/or partners. Automatically applied when an issue is opened. label Jun 23, 2023
@bsmth
Copy link
Member

bsmth commented Jun 23, 2023

Thanks for raising this one @daiplusplus - we'll take a look shortly 👍🏻

@Josh-Cena Josh-Cena removed the needs triage Triage needed by staff and/or partners. Automatically applied when an issue is opened. label Jun 26, 2023
@sideshowbarker sideshowbarker transferred this issue from mdn/content Jul 20, 2023
@github-actions github-actions bot added the needs triage Triage needed by staff and/or partners. Automatically applied when an issue is opened. label Jul 20, 2023
@bsmth bsmth added the CSP Problems caused by Content-Security-Policy label Aug 8, 2023
This was referenced Sep 26, 2023
Merged
Draft
@caugner
Copy link
Contributor

caugner commented Sep 26, 2023

Thanks again for raising these issues @daiplusplus. 🙏

  1. As for the examples not loading, I just verified that the examples now load properly in Firefox 120 (Nightly) and Chrome 117 (Stable). Most likely the examples were fixed by Put syntax examples in the right place content#28070.
  2. As for the Clear-Site-Data warning, it appears that the wildcard ("*") was not yet supported in Chrome (as reported here), but support shipped in Chrome 117.
  3. As for the style-src warning in Chrome, I can no longer reproduce this in Chrome 117.
  4. As for the CSP warning invalid host "self" in Firefox, I can no longer reproduce this in Firefox 120 (Nightly).
  5. As for the script-src-elem warning in Firefox, this will be fixed in fix(csp): remove unsafe-eval from script-src-elem #9729 (pending discussion in the team).
  6. I noticed an unrelated CSS warning Unexpected token ‘-1’ in media list. in Firefox, which will be fixed in fix(client): avoid CSS warning in Firefox #9727.

@caugner caugner self-assigned this Sep 26, 2023
@caugner caugner added 🐛 bug Something isn't working, or isn't working as expected p2 We want to address this but may have other higher priority items. and removed needs triage Triage needed by staff and/or partners. Automatically applied when an issue is opened. labels Sep 26, 2023
@daiplusplus
Copy link
Author

@caugner I'm using Chrome 117 and Firefox 117 and while the examples load, they appear differently in Firefox vs Chrome so I'm unsure if I can close this or not...

image

@caugner
Copy link
Contributor

caugner commented Sep 26, 2023

@daiplusplus Fair point! This looks like a webcompat issue, and at the same time the result doesn't look like a "red square" even though the example code suggests this. 🤔

Let's keep this issue open for now. I will share an update once I heard back from a colleague working on Firefox.

@caugner
Copy link
Contributor

caugner commented Sep 26, 2023

It looks like Chrome does not respect the mask, and the BCD table for the mask property hints at this:

Implemented with the vendor prefix: -webkit-
The prefixed property can be used with SVG and HTML with a slightly different syntax, which allows setting the non-standard -webkit-mask-attachment property.

Partial support
While the property is recognized, values applied to it don't have any effect.

A similar issue has been reported in the BCD repo.

@github-actions github-actions bot added the idle label Jan 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@caugner caugner

Labels
🐛 bug Something isn't working, or isn't working as expected CSP Problems caused by Content-Security-Policy idle p2 We want to address this but may have other higher priority items.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@caugner @daiplusplus @bsmth @Josh-Cena