Thousands of Errors in the Console

Nataliia_Staff · January 11, 2023, 6:42am

Hi Fuji2086,

Thank you for the comment. Do you see the error notification on the WME screen also or only in console?

Regards,
Nataliia

fuji2086 · January 24, 2023, 2:53am

The errors only appear in the console.

Nataliia_Staff · January 24, 2023, 7:21am

Hi Fuji2086,

Thank you for the answer. I will forward your answer to the team.

Regards,
Nataliia

jangliss · February 24, 2023, 9:42pm

I know Waze is improving security by enabling CSP and the various things around it, and much to many folks horror this has broken scripts, as well as some core functionality.

While I was checking into something completely unrelated I found Waze has enabled the reporting option for CSP which submits a report to a web service to report on issues with content. Cool! This should help fix bugs, right? I doubt developers can keep up with the influx of these reports though.

Here’s a fun one, open WME in a browser with nothing enabled, no scripts, etc, incognito works great. Launch the respective browser’s dev tools, and watch the network window when you simply move your mouse around over the map. The CSP reporting generates hundreds and thousands of entries, all from code in third_party.js. For example:
This one looks to be generated from updating the lat/long box in the bottom right of the screen. Issues like this really need to be caught long before they even hit beta. Issues like this can also cause some firewalls to think there is a denial of service going on based on the number of requests sent per second.

fuji2086 · February 25, 2023, 2:15pm

This was something I reported close to 6 months ago if you want to add to that same forum thread: https://www.waze.com/forum/viewtopic.php?t=359369

maiapas · February 26, 2023, 7:54am

jangliss:

I know Waze is improving security by enabling CSP and the various things around it, and much to many folks horror this has broken scripts, as well as some core functionality.

While I was checking into something completely unrelated I found Waze has enabled the reporting option for CSP which submits a report to a web service to report on issues with content. Cool! This should help fix bugs, right? I doubt developers can keep up with the influx of these reports though.

Here’s a fun one, open WME in a browser with nothing enabled, no scripts, etc, incognito works great. Launch the respective browser’s dev tools, and watch the network window when you simply move your mouse around over the map. The CSP reporting generates hundreds and thousands of entries, all from code in third_party.js. For example:chrome_GWsLjHSAk0.png
This one looks to be generated from updating the lat/long box in the bottom right of the screen. Issues like this really need to be caught long before they even hit beta. Issues like this can also cause some firewalls to think there is a denial of service going on based on the number of requests sent per second.

Hi jangliss, thanks for your feedback. I’d like to share some context about this change:

Before implementing this change, we communicated with script writers and later offered to whitelist sources. We’ve been continuously whitelisting sources that script writers have asked us to.

The policy was announced in March, reached beta in April and was left in beta until August to give time for script writers to test their scripts. Due to compatibility issues with firefox, we’ve reverted the policy temporarily back to beta and also offered an API to prevent issues when initializing scripts,

Regarding your report, to better understand understand it and pass it on to the team, can you please explain which issue is the policy causing?

Thanks in advance!

daveacincy · March 1, 2023, 2:01am

This issue is not causing any problem with functionality. It just means the WME base or libraries is not CSP compliant. These particular notices are Report Only, but if/when you turn on more CSP compliance, it will be a problem.

In beta WME with no other scripts or extensions, I opened the Developer Tools and switched to the Console tab. There I see:

85 [Report Only] This document requires ‘TrustedScript’ assignment.

Opening the caret by the count (85) I get a list of the CSP reports. As an example, when I click on the code link on the right of an entry (https://editor-assets.waze.com/beta/js/third_party-3def08ad9ff44dd8d579.js.gz), it opens the Sources tab and I see this code:t.isCoveredByReact = e=>{ if ("undefined" == typeof document) return !0; { const t = "on" + e; let n = t in document; if (!n) { const e = document.createElement("div"); e.setAttribute(t, "return;"), n = "function" == typeof e[t] } return n } }
the line with e.setAttribute is marked as an error and when I hover over the error icon or click on it, it says: Trusted Type expected, but String received

Dave

maiapas · March 1, 2023, 7:25am

daveacincy:

This issue is not causing any problem with functionality. It just means the WME base or libraries is not CSP compliant. These particular notices are Report Only, but if/when you turn on more CSP compliance, it will be a problem.

In beta WME with no other scripts or extensions, I opened the Developer Tools and switched to the Console tab. There I see:

85 [Report Only] This document requires ‘TrustedScript’ assignment.

Opening the caret by the count (85) I get a list of the CSP reports. As an example, when I click on the code link on the right of an entry (https://editor-assets.waze.com/beta/js/third_party-3def08ad9ff44dd8d579.js.gz), it opens the Sources tab and I see this code:t.isCoveredByReact = e=>{ if ("undefined" == typeof document) return !0; { const t = "on" + e; let n = t in document; if (!n) { const e = document.createElement("div"); e.setAttribute(t, "return;"), n = "function" == typeof e[t] } return n } }
the line with e.setAttribute is marked as an error and when I hover over the error icon or click on it, it says: Trusted Type expected, but String received

Dave

Hi Dave,

Is there a specific source you need us to whitelist?

We´ve been whitelisting sources for script writers.

To open a request, I would need the following information:

Source to whitelist
Script it belongs to
Are critical functionalities of the scripts affected without the whitelisting?

Thank you for your feedback,
Maia

Twister-UK · March 1, 2023, 12:19pm

Maia, the issue here isn’t being caused by a script, it’s the native WME code generating all these warnings, so asking us to provide those details is somewhat futile - those questions need to be directed at the dev team.

As a general note here, whilst I appreciate that WME is a complex bit of code and might therefore not be quite as easy to clean up as our scripts, things like CSP have been introduced as restrictions deemed necessary to how the WME environment behaves despite the additional development burdens they’ve imposed on us, so it’d be a nice touch if WME itself was held to the same standard and led by example, rather than being allowed to ignore the restrictions and throw warnings/errors just because it can get away with it.

maiapas · March 1, 2023, 12:45pm

Hi Chris,

Thank you for your comment.

I am just trying to better understand the issue to report it internally, or better understand the question/report and the issues that it is causing.

Best,
Maia