{"id":7977,"date":"2025-10-28T00:04:19","date_gmt":"2025-10-28T00:04:19","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/10\/28\/how-we-almost-found-chromiums-bug-via-crash-reports-to-report-uri\/"},"modified":"2025-10-28T00:04:19","modified_gmt":"2025-10-28T00:04:19","slug":"how-we-almost-found-chromiums-bug-via-crash-reports-to-report-uri","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/10\/28\/how-we-almost-found-chromiums-bug-via-crash-reports-to-report-uri\/","title":{"rendered":"How We (Almost) Found Chromium&#8217;s Bug via Crash Reports to Report URI"},"content":{"rendered":"\n<div>How We (Almost) Found Chromium&#8217;s Bug via Crash Reports to Report URI<\/div>\n<p> \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/www.troyhunt.com\/content\/images\/2025\/10\/2025-10-27_18-30-56.png?ssl=1\" alt=\"How We (Almost) Found Chromium's Bug via Crash Reports to Report URI\"><\/p>\n<p>Tracking down bugs in software is a pain that all of us who write code must bear. When we&#8217;re talking about outright errors in a web page, you typically have <em>something <\/em>to get you started (such as output in the console), but that wasn&#8217;t the case here:<\/p>\n<p><!--kg-card-begin: html--><\/p>\n<blockquote class=\"twitter-tweet\" data-conversation=\"none\">\n<p lang=\"en\" dir=\"ltr\">Sure! Reboots don&#8217;t help \ud83d\ude42 Here are the two error screens which show up. <a href=\"https:\/\/t.co\/w2dmZcVyHk?ref=troyhunt.com\">pic.twitter.com\/w2dmZcVyHk<\/a><\/p>\n<p>\u2014 Peter Vogel (@PeterVogel) <a href=\"https:\/\/twitter.com\/PeterVogel\/status\/1943804862740967584?ref_src=twsrc%5Etfw&amp;ref=troyhunt.com\">July 11, 2025<\/a>\n<\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><br \/>\n<!--kg-card-end: html--><\/p>\n<p>That&#8217;s on a Chromebook, and it&#8217;s the first user report we had about the issue back in early July. The initial problem this presented is that there are not a lot of people running around with devices we could test on. But there <em>are <\/em>enough people using them that we had multiple similar reports, so we were well beyond just giving people like Peter a bit of &#8220;works on my machine&#8221;, and moving on. But the &#8220;SIGILL&#8221; error means that something pretty low-level has happened and, as you can see from the screen grab, you can&#8217;t exactly just pop open the dev tools and peak at what&#8217;s broken in the site when it can&#8217;t even load in the first place.<\/p>\n<p>However, after months of making no progress whilst the occasional Chromium user popped their head up and reported exactly the same problem, the answer finally emerged:<\/p>\n<p><!--kg-card-begin: html--><\/p>\n<blockquote class=\"twitter-tweet\" data-conversation=\"none\">\n<p lang=\"en\" dir=\"ltr\">Reading MDN docs I don&#8217;t find a directive &#8216;report-sha256&#8217;, so tried only removing that, and no crash.<\/p>\n<p>\u2014 Mark : 1x Software Artisan (@virullius) <a href=\"https:\/\/twitter.com\/virullius\/status\/1981597950758305836?ref_src=twsrc%5Etfw&amp;ref=troyhunt.com\">October 24, 2025<\/a>\n<\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><br \/>\n<!--kg-card-end: html--><\/p>\n<p>Uh&#8230; shouldn&#8217;t a browser just ignore a directive it doesn&#8217;t recognise? (And incidentally, <a href=\"https:\/\/www.w3.org\/TR\/CSP3\/?fbclid=IwY2xjawNsBPVleHRuA2FlbQIxMQABHnebf3gNkC62y9V4xZ1zO8Nhvbw0Q9s-8PQylmnSyIefVK65ssZhcud_z3Hi_aem_lvyQud5NbXgnsU6t9Cva1A&amp;ref=troyhunt.com#reporting\" rel=\"noreferrer\">report-sha256 is documented in CSP level 3<\/a>.) But the timing was awful coincidental with when we added that exact directive, only just before people started reporting problems:<\/p>\n<p><!--kg-card-begin: html--><\/p>\n<blockquote class=\"twitter-tweet\" data-conversation=\"none\">\n<p lang=\"en\" dir=\"ltr\">Wow, good sleuthing! The timing of when this first began aligns with this commit from <a href=\"https:\/\/twitter.com\/stebets?ref_src=twsrc%5Etfw&amp;ref=troyhunt.com\">@stebets<\/a>. I&#8217;ve just dropped it, does it look ok now? Also CC&#8217;ing <a href=\"https:\/\/twitter.com\/Scott_Helme?ref_src=twsrc%5Etfw&amp;ref=troyhunt.com\">@Scott_Helme<\/a> &#8211; you seen this before mate? Bug was logged here: <a href=\"https:\/\/t.co\/wiKpdmSxhU?ref=troyhunt.com\">https:\/\/t.co\/wiKpdmSxhU<\/a> <a href=\"https:\/\/t.co\/m2nsDtAMjB?ref=troyhunt.com\">pic.twitter.com\/m2nsDtAMjB<\/a><\/p>\n<p>\u2014 Troy Hunt (@troyhunt) <a href=\"https:\/\/twitter.com\/troyhunt\/status\/1981856765135450276?ref_src=twsrc%5Etfw&amp;ref=troyhunt.com\">October 24, 2025<\/a>\n<\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><br \/>\n<!--kg-card-end: html--><\/p>\n<p>Getting to the title of this post, we <em>almost <\/em>worked this out ourselves, we just didn&#8217;t look at data that was right in front of our eyes. Here it is:<\/p>\n<figure class=\"kg-card kg-image-card kg-width-full\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/www.troyhunt.com\/content\/images\/2025\/10\/2025-10-27_18-30-56-1.png?resize=2000%2C924&#038;ssl=1\" class=\"kg-image\" alt=\"How We (Almost) Found Chromium's Bug via Crash Reports to Report URI\" loading=\"lazy\" width=\"2000\" height=\"924\" srcset=\"https:\/\/www.troyhunt.com\/content\/images\/size\/w600\/2025\/10\/2025-10-27_18-30-56-1.png 600w, https:\/\/www.troyhunt.com\/content\/images\/size\/w1000\/2025\/10\/2025-10-27_18-30-56-1.png 1000w, https:\/\/www.troyhunt.com\/content\/images\/size\/w1600\/2025\/10\/2025-10-27_18-30-56-1.png 1600w, https:\/\/www.troyhunt.com\/content\/images\/size\/w2400\/2025\/10\/2025-10-27_18-30-56-1.png 2400w\"><\/figure>\n<p>This is <a href=\"https:\/\/report-uri.com\/?ref=troyhunt.com\" rel=\"noreferrer\">Report URI&#8217;s<\/a> crash report graph, and until June, we&#8217;d had a good run! Crash reports are super cool because your customers&#8217; browsers automatically generate them, and with just a little tweaking of your response headers, <a href=\"https:\/\/scotthelme.co.uk\/introducing-the-reporting-api-nel-other-major-changes-to-report-uri\/?ref=troyhunt.com\" rel=\"noreferrer\">you can easily turn your customers into automatic crash reporting bots<\/a>! Report URI&#8217;s value proposition (disclosure: <a href=\"https:\/\/report-uri.com\/about\/meet_the_team?ref=troyhunt.com\" rel=\"noreferrer\">I have a working relationship with them<\/a>) is that it can receive those reports and create graphs like you see above. We just weren&#8217;t watching the reports closely enough, hence the &#8220;almost&#8221; in the title.<\/p>\n<p>I wanted to write this short post because sometimes, the answer is right in front of your eyes, and if we&#8217;d looked at what in hindsight is a really obvious place to check, we would have nailed this months ago. So, turn on crash reporting, <em>and pay attention to it!<\/em><\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Troy Hunt<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/www.troyhunt.com\/how-we-almost-found-chromiums-bug-via-crash-reports-to-report-uri\/\">Go to troyhunt<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>How We (Almost) Found Chromium&#8217;s Bug via Crash Reports to Report URI Tracking down bugs in software is a pain that all of us who write code must bear. When we&#8217;re talking about outright errors in a web page, you typically have something to get you started (such as output in the console), but that [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1956,51],"tags":[149,1957,1958],"class_list":["post-7977","post","type-post","status-publish","format-standard","hentry","category-report-uri","category-troyhunttroyhunt","tag-just","tag-report","tag-when"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/7977"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=7977"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/7977\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=7977"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=7977"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=7977"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}