CSP (content security policy) Still Preventing Sites from loading

[androbourne]

Description

CSP can be found to be preventing some pages from loading. Ones I've found so far are outlook.live.com and even your own bug report pages on Brave Community site.

I would say this is a continuation of this previously reported ticket that is now closed: https://github.com/brave/brave-browser/issues/16251

Steps to Reproduce

Go to a site with the script running like outlook.live.com. Page stuck on loading screen (shows outlook loading symbol and never loads. Inspect page and see issue is caused by CSP.

Actual result:

Expected result:

The page to actually load.

Reproduces how often:

I noticed that if I clear my cache for outlook.live.com and close and reopen the tab. I can load the email just fine. But once the cache times out and outlook.ive.com attempts to refresh or rerun the script. It returns back to the forever loading screen and I again need to clear the cache to allow the page to load.

Brave version (brave://version info)

1.45.116

Other Additional Information:

I have tried to disable pop up blocker by Brave. No rewards are enabled.

More information about the error can be seen here: https://www.reddit.com/r/brave_browser/comments/yhxtc5/comment/iuh2p40/?context=3

And no. I did not modify the rule or add any custom blocks/scripts as one user suggested on the Reddit page. Brave is installed using defaults and I have no made any changes in those regards.

In the meantime I've disabled CSP in the Brave flags and it appears to have "fixed" the issue. However, this is a bug of Brave and should be looked at. I tested with different browsers, including Firefox and Chrome and can not replicate this problem on any other browser.

[diracdeltas]

cc @antonok-edm @ryanbr

[androbourne]

Just wanted to add more information. I disabled the brave flags for CSP and while it doesn't block the sites as often. It still blocks the site even with CSP disabled. Only way to temp fix it is for me to clear cache of the specific website.

[ryanbr]

Does it show in private window mode?

[androbourne]

I just reset the cache so I could log into my email. I''ll have to wait for it to reproduce its self and I can test again. I'll report back what it happens again.

[ryanbr]

Hows it looking @androbourne

[androbourne]

It happened again in standard browse mode. However, it works in private window mode. But that is excepted. As I stated. It appears to be when cache times out and it need to refresh, something runs to trigger that CSP block.

I also dont get why CSP is still in effect when its turned off via Brave flags...

[ryanbr]

If you disable all the extensions, and then re-test in normal mode. does that work?

[androbourne]

I have done that and even with extentions off it runs into the same issue.

[r3538987]

Same behavior observed on https://resource.dopus.com/ and even on https://community.brave.com/ You get stuck page with scroll disabled, and once you hit CTRL+F5 it will work, for current tab.

[androbourne]

Same behavior observed on https://resource.dopus.com/ and even on https://community.brave.com/ You get stuck page with scroll disabled, and once you hit CTRL+F5 it will work, for current tab.

I just stopped using Brave altogether. The devs appear to have just givin up on it saying it was an issue on my end. I'm a network/systems engineer. I can tell you for a fact its not an issue on my end. Firefox is working just fine.

[m4k3m0n3y420]

Same behavior on https://streamelements.com/ Also several different job sites. Forms wont allow input, buttons don't work, dropdown menus don't dropdown or sites simply will not load at all.

This is with disabled shields, private window, deleted cookies. Error is always Blocked By Client. Edge loads everything OK.

I have been using brave for a few years now and this only started this week.

[diracdeltas]

This is with disabled shields, private window, deleted cookies. Error is always Blocked By Client. Edge loads everything OK.

could you share what page you are seeing this error on? i'm not able to reproduce it by going to https://streamelements.com/ on its own. (no blocked or CSP errors in the console when shields are down)