Content Security Policy report-uri throttling?

Neil Craig

unread,

May 25, 2016, 2:25:35 PM5/25/16

to Chromium-discuss

Hi all

I'm doing some work on CSP and part of this is creating a report-uri handler (which for my PoC at least is on AWS Lambda). I'm seeing a lot of report-uri requests in the network inspector in Chrome being marked as "Cancelled" and I can't find any reason as to why or any docs.

I am pretty certain (as far as i can be with AWS and their reporting) that there is no relevant throttling on that side, there are no reported invocation errors on Lambda and the limit is 100k req/sec at burst - i'm not getting near that.

It looks a little like Chrome (and I am guessing/assuming Chromium - hence the Q here) might throttle the report-uri request rate to avoid DoS'ing the report-uri endpoint. I have attached 2 screenshots, one is "GPRS" throttled (in dev tools) and one is not throttled. I observe that typically, i get less cancelled requests when the network is throttled.

Is anyone able to confirm whether or not throttling of report-uri requests is occurring please? I'd like to confirm or refute my theory.

Cheers

Neil

Screen Shot 2016-05-23 at 09.30.44.png

Screen Shot 2016-05-23 at 09.34.19.png

Jonathan Garbee

unread,

May 25, 2016, 6:10:50 PM5/25/16

to gm...@thedotproduct.org, Chromium-discuss

Looks like a good number of the cancelled requests are duplicates. According to sending violation reports if the request created is an exact match to a previously sent report for the session, it may abort the request.

Try de-duping the reports and see if any unique reports are being cancelled. That would be a problem.

--
--
Chromium Discussion mailing list: chromium...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-discuss

---
You received this message because you are subscribed to the Google Groups "Chromium-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-discu...@chromium.org.

Neil Craig

unread,

May 30, 2016, 9:31:06 AM5/30/16

to Chromium-discuss, gm...@thedotproduct.org

Hi again

Sorry it took a while but I have tested a couple of pages violation reports and I can see a number of violations which I would not expect to be cancelled due to duplication (because, for example, there is a single violation report attempt logged to a given blocked-uri - which was cancelled). For clarity, I put my findings in gists:

Violation report: https://gist.github.com/neilstuartcraig/db9c2d359c81dca1d54676714354ea7c

Node script to parse the above: https://gist.github.com/neilstuartcraig/fb4047d3eec19686c9b8ceec2aa2c8ba

Output from parser (above): https://gist.github.com/neilstuartcraig/e1f102e2b21334093f50156548df1a6a

I am pretty sure (from the doc you linked) that the de-dupe is intended to be done using blocked-uri as the key for uniqueness - please correct me if you know/believe otherwise - I tried 3 different keys for uniqueness, just in case.

I also checked the logs from my report-uri endpoint and found that the number of inbound requests is exactly equal to the number of un-cancelled violation reports shown in Chrome - there are zero failed report requests on my endpoint.

So...bearing in mind all the above, I think it must be some sort of an issue in Chrome. I guess perhaps some throttling - perhaps due to the (intentionally since i am testing CSP in general, not a "real" policy) number of violations my page is triggering.

Finally, just for clarity, I am using the "Modify Headers" extension for Chrome to add the CSP response header - but I have previously tested sending the header from a web server and that exhibited the same behaviour.

Hoping someone can shed some light on this...and please let me know if any more info is needed.