🚨 Error: Failed to construct 'Worker': Access to the script at 'blob:https://www.quotidiano.net/18a38be0-42f3-4823-898e-dcf7b88bfced' is denied by the document's Content Security Policy.

ampproject / error-reporting

Contains production error tracking issues.

Apache License 2.0

2 stars 5 forks source link

🚨 Error: Failed to construct 'Worker': Access to the script at 'blob:https://www.quotidiano.net/18a38be0-42f3-4823-898e-dcf7b88bfced' is denied by the document's Content Security Policy. #59

Open ampprojectbot opened 3 years ago

ampprojectbot commented 3 years ago

Details

Error report: link First seen: Jan 3, 2018 Frequency: ~ 5,306/day

Stacktrace

Error: Failed to construct 'Worker': Access to the script at 'blob:https://www.quotidiano.net/18a38be0-42f3-4823-898e-dcf7b88bfced' is denied by the document's Content Security Policy.
    at src/web-worker/amp-worker.js:118:23

Notes

@rsimha modified src/web-worker/amp-worker.js:113-120 in #21212 (May 16, 2019)

Seen in:

02-13 Control (0314+1)
02-13 Nightly-Control (0314+1)
02-20 Beta (0206)
02-23 Experiment-A (0545)
+7 more

/cc @ampproject/release-on-duty

rcebulko commented 3 years ago

/cc @samouri was there an update to mobile chrome or permissions for web workers or something? This CSP error started appearing yesterday across a few domains, and across all release channels. It's a small # of referrers what I can tell, not sure if it's one source that own a few sites or a wider issue

jridgewell commented 3 years ago

There's nothing that we can do about this. These are origin pages that are setting a Content-Security-Policy with script-src that are not including blob:. The page that I found is setting script-src 'unsafe-inline' 'unsafe-eval' *;, and * doesn't cover blob: (it covers hosts, not schemes).

kristoferbaxter commented 3 years ago

Perhaps we should enhance the guidance on the Page Experience tool to detect broken CSP values for AMP documents?

What do you think @sebastianbenz?