Cuprite url_blacklist (Fetch interception) can hang XHR PUT with Blob body (Rails ActiveStorage direct uploads) #308
Description
Summary:
As a result of an upgrade from Rails 7.2 to 8.0, we started having issues with ActiveStorage direct uploads hanging on the upload PUT request to /rails/active_storage/disk/....
The preceding POST to /rails/active_storage/direct_uploads succeeds (200), but the subsequent PUT never finishes; Chrome DevTools shows the request stuck with “Provisional headers are shown”.
Disabling url_blacklist fixes it. As a workaround, we can still block external resources using CDP Network.setBlockedURLs, which does not hang the upload.
The PUT hangs in both headless and headed mode.
Environment:
Rails: 8.0.4
Ruby: 3.3.10
cuprite: 0.17
ferrum: 0.17.1
Chromium: 144.x (observed 144.0.7559.97)
Reproduction:
Configure Cuprite with url_blacklist to block external assets (e.g. google.com, googleapis.com).
Visit a page that triggers an ActiveStorage direct upload.
Attach a file (direct upload kicks off).
Observe: POST /rails/active_storage/direct_uploads completes, but PUT /rails/active_storage/disk/<signed_id> hangs indefinitely (DevTools shows “Provisional headers are shown”; system tests time out).
Expected:
The direct-upload PUT completes and the file attaches.
Actual:
The direct-upload PUT never completes; UI/test remains stuck.
Workaround:
Avoid Cuprite url_blacklist and instead block external requests via CDP:
Network.enable
Network.setBlockedURLs(urls: [...])
Notes:
url_blacklist appears to enable CDP Fetch request interception. Once interception is enabled, uploads using binary/streaming bodies (XHR/fetch PUT Blob) can stall, even though the request URL itself is not blacklisted (same-origin ActiveStorage disk upload route).