duck.ai - doesn't work with csp enabled

[Enobarbous]

This is a live example of a site that doesn't work specifically because of the csp implementation in pale moon.
Tested on a clean portable PM 34.2.2

If you try typing something in the chat and press "ask" or enter, the page will display the error "Oops! Something went wrong."
The console also displays a long error

Code: Select all

  ChunkLoadError: Loading CSS chunk 1897 failed.
(error: https://duck.ai/dist/duckai-dist/chunk.duckai-shield-animation.07c49f74e9caa4608f49.css)
Stack trace:
i.f.miniCss/e[t]</</</o.onload@https://duck.ai/dist/duckai-dist/entry.duckai.ae8834055b64dc711946.js:2:1508966
  
entry.vendors.06b4af71b7dfe2a4f6f7.js:2:80472
"ChunkLoadError: Loading CSS chunk 1897 failed.
(error: https://duck.ai/dist/duckai-dist/chunk.duckai-shield-animation.07c49f74e9caa4608f49.css)

Lazy
Suspense
div
div
p@https://duck.ai/dist/duckai-dist/entry.duckai.ae8834055b64dc711946.js:2:1058997
div
div
l@https://duck.ai/dist/duckai-dist/entry.duckai.ae8834055b64dc711946.js:2:1
div
section
o[86028]/_<@https://duck.ai/dist/duckai-dist/entry.duckai.ae8834055b64dc711946.js:2:1157199
o[66466]/R<@https://duck.ai/dist/duckai-dist/entry.duckai.ae8834055b64dc711946.js:2:1
o[66466]/de<@https://duck.ai/dist/duckai-dist/entry.duckai.ae8834055b64dc711946.js:2:1
Kl@https://duck.ai/dist/duckai-dist/entry.duckai.ae8834055b64dc711946.js:2:1
Wl@https://duck.ai/dist/duckai-dist/entry.duckai.ae8834055b64dc711946.js:2:1
V@https://duck.ai/dist/duckai-dist/entry.duckai.ae8834055b64dc711946.js:2:1
main
ql@https://duck.ai/dist/duckai-dist/entry.duckai.ae8834055b64dc711946.js:2:1
We@https://duck.ai/dist/duckai-dist/entry.duckai.ae8834055b64dc711946.js:2:1
m@https://duck.ai/dist/duckai-dist/entry.duckai.ae8834055b64dc711946.js:2:1
l@https://duck.ai/dist/duckai-dist/entry.duckai.ae8834055b64dc711946.js:2:1
p@https://duck.ai/dist/duckai-dist/entry.duckai.ae8834055b64dc711946.js:2:1
Wf@https://duck.ai/dist/duckai-dist/entry.duckai.ae8834055b64dc711946.js:2:1
u@https://duck.ai/dist/duckai-dist/entry.duckai.ae8834055b64dc711946.js:2:1
E@https://duck.ai/dist/duckai-dist/entry.duckai.ae8834055b64dc711946.js:2:1
S@https://duck.ai/dist/duckai-dist/entry.duckai.ae8834055b64dc711946.js:2:1
N@https://duck.ai/dist/duckai-dist/entry.duckai.ae8834055b64dc711946.js:2:1
c@https://duck.ai/dist/duckai-dist/entry.duckai.ae8834055b64dc711946.js:2:1
h@https://duck.ai/dist/duckai-dist/entry.duckai.ae8834055b64dc711946.js:2:1
i@https://duck.ai/dist/duckai-dist/entry.duckai.ae8834055b64dc711946.js:2:1
i@https://duck.ai/dist/duckai-dist/entry.duckai.ae8834055b64dc711946.js:2:1
y@https://duck.ai/dist/duckai-dist/entry.duckai.ae8834055b64dc711946.js:2:1
d@https://duck.ai/dist/duckai-dist/entry.duckai.ae8834055b64dc711946.js:2:1
I@https://duck.ai/dist/duckai-dist/entry.duckai.ae8834055b64dc711946.js:2:1
s@https://duck.ai/dist/duckai-dist/entry.duckai.ae8834055b64dc711946.js:2:1
p@https://duck.ai/dist/duckai-dist/entry.duckai.ae8834055b64dc711946.js:2:1
Nr@https://duck.ai/dist/duckai-dist/entry.duckai.ae8834055b64dc711946.js:2:1
u@https://duck.ai/dist/duckai-dist/entry.duckai.ae8834055b64dc711946.js:2:1
h@https://duck.ai/dist/duckai-dist/entry.duckai.ae8834055b64dc711946.js:2:1
s@https://duck.ai/dist/duckai-dist/entry.duckai.ae8834055b64dc711946.js:2:1
c@https://duck.ai/dist/duckai-dist/entry.duckai.ae8834055b64dc711946.js:2:1
m@https://duck.ai/dist/duckai-dist/entry.duckai.ae8834055b64dc711946.js:2:1
H@https://duck.ai/dist/duckai-dist/entry.duckai.ae8834055b64dc711946.js:2:1
B@https://duck.ai/dist/duckai-dist/entry.duckai.ae8834055b64dc711946.js:2:1
div
fe@https://duck.ai/dist/duckai-dist/entry.duckai.ae8834055b64dc711946.js:2:1
l@https://duck.ai/dist/duckai-dist/entry.duckai.ae8834055b64dc711946.js:2:1
d@https://duck.ai/dist/duckai-dist/entry.duckai.ae8834055b64dc711946.js:2:1
Vf@https://duck.ai/dist/duckai-dist/entry.duckai.ae8834055b64dc711946.js:2:662786
d@https://duck.ai/dist/duckai-dist/entry.duckai.ae8834055b64dc711946.js:2:1
i@https://duck.ai/dist/duckai-dist/entry.vendors.06b4af71b7dfe2a4f6f7.js:2:138206
Zg@https://duck.ai/dist/duckai-dist/entry.duckai.ae8834055b64dc711946.js:2:1
c@https://duck.ai/dist/duckai-dist/entry.duckai.ae8834055b64dc711946.js:2:1
rg@https://duck.ai/dist/duckai-dist/entry.duckai.ae8834055b64dc711946.js:2:1
i@https://duck.ai/dist/duckai-dist/entry.duckai.ae8834055b64dc711946.js:2:1
i@https://duck.ai/dist/duckai-dist/entry.duckai.ae8834055b64dc711946.js:2:1
s@https://duck.ai/dist/duckai-dist/entry.duckai.ae8834055b64dc711946.js:2:1
aE@https://duck.ai/dist/duckai-dist/entry.duckai.ae8834055b64dc711946.js:2:1
zg@https://duck.ai/dist/duckai-dist/entry.duckai.ae8834055b64dc711946.js:2:1"

But if you set security.csp.enable = false, the chat works fine.
The site's csp settings are not too complicated and at first glance should be fully supported in pm -

"default-src 'none' ; connect-src https://duckduckgo.com https://*.duckduckgo.com https://duck.ai https://*.duck.ai ; manifest-src https://duckduckgo.com https://*.duckduckgo.com https://duck.ai https://*.duck.ai ; media-src https://duckduckgo.com https://*.duckduckgo.com https://duck.ai https://*.duck.ai ; script-src blob: https://duckduckgo.com https://*.duckduckgo.com https://duck.ai https://*.duck.ai 'unsafe-inline' 'unsafe-eval' ; font-src data: https://duckduckgo.com https://*.duckduckgo.com https://duck.ai https://*.duck.ai ; img-src data: https://duckduckgo.com https://*.duckduckgo.com https://duck.ai https://*.duck.ai ; style-src https://duckduckgo.com https://*.duckduckgo.com https://duck.ai https://*.duck.ai 'unsafe-inline' ; object-src 'none' ; worker-src blob: ; child-src blob: https://duckduckgo.com https://*.duckduckgo.com https://duck.ai https://*.duck.ai ; frame-src blob: https://duckduckgo.com https://*.duckduckgo.com https://duck.ai https://*.duck.ai ; form-action https://duckduckgo.com https://*.duckduckgo.com https://duck.ai https://*.duck.ai ; frame-ancestors https://duckduckgo.com https://*.duckduckgo.com ; base-uri 'self' ; block-all-mixed-content ;"

So does anyone have any ideas what exactly is wrong with csp processing?

[andyprough]

But if you set security.csp.enable = false, the chat works fine.

Now what's weird is, if you set security.csp.enable = false, duck.ai starts working. And then if you set security.csp.enable = true, duck.ai continues working. Go figure.

[jobbautista9]

I guess cache ignores CSP?

[Drugwash]

And then if you set security.csp.enable = true, duck.ai continues working.

I discovered it does not. If i do that, change to another tab, and then come back duck.ai will become unavailable with a message saying something along those lines.

Also I had a (very simple) GreaseMonkey script that somehow blocked duck.ai from functioning, making it display the same "Oops..." message. It's the one about bypassing 'obsolete browser' on Discourse pages, found here in the forums. Had to add a special exclusion for duck.ai's domain to get it back working:

Code: Select all

// ==UserScript==
// @name        Discourse bypass
// @namespace   Drugwash
// @description Bypass 'obsolete browser' check on Discourse-enabled domains
// @include     *
// @exclude     https://duck.ai/*
// @version     1
// @run-at      document-start
// @grant       none
// ==/UserScript==
Object.defineProperty(window, "unsupportedBrowser", {
	set(value) {},
	get() {return 0;},
	configurable: true
});
window.FinalizationRegistry = class {
	constructor(a) {}
	register(a,b) {}
}

Unrelated to this, on my machine (at least) duck.ai has been behaving very badly, lagging more and more when switching tabs or between PM and other application, to the point it would become unusable. Even switching focus from the input box to the main page (and back) would lag considerably. Same applies to saving any scripts provided by the AI, or the whole chat itself. And with updating to PM's 34.3.0 this lag has increased even from the very start of a chat. No idea whether it's duck.ai's fault, PM's fault, my system's fault, or just plain bad luck.

[andyprough]

Unrelated to this, on my machine (at least) duck.ai has been behaving very badly, lagging more and more when switching tabs or between PM and other application, to the point it would become unusable. Even switching focus from the input box to the main page (and back) would lag considerably.

I noticed the same lag when switching tabs. But definitely duck.ai kept working for me after re-enabling security.csp.enable and switching between tabs.

[Drugwash]

definitely duck.ai kept working for me after re-enabling security.csp.enable and switching between tabs.

Then there may be something else at play that makes this behavior different between our systems. Possibly one of my (too) many extensions ? Haven't checked with a new/blank profile.

[Enobarbous]

Now what's weird is, if you set security.csp.enable = false, duck.ai starts working. And then if you set security.csp.enable = true, duck.ai continues working. Go figure.

There is nothing strange about this, it is just working with the cache.

I did a little digging (not extensively; for a full investigation, I'd first need to write an extension), but it seems the problem with csp occurs when <scheme-source> is used and/or <scheme-source> is mixed with
<host-source> in a single directive. It's as if processing such a directive causes a fallback to "default-src."
But this is just a guess.

And yes, this isn't the only site where csp is causing issues; it's just that here it's highly visible.

[andyprough]

And yes, this isn't the only site where csp is causing issues; it's just that here it's highly visible.

Yes, I was looking at this report on PayPal not working with csp errors yesterday. Seems like one thing a person could try is disabling security.csp.enable, but that sounds like an increasingly bad idea on a site like PayPal.