[Webkit-unassigned] [Bug 177671] New: CSP frame-ancestors works incorrectly when x-origin iframe is nested inside srcdoc iframe
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Sep 29 10:49:04 PDT 2017
https://bugs.webkit.org/show_bug.cgi?id=177671
Bug ID: 177671
Summary: CSP frame-ancestors works incorrectly when x-origin
iframe is nested inside srcdoc iframe
Product: WebKit
Version: Safari Technology Preview
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: Frames
Assignee: webkit-unassigned at lists.webkit.org
Reporter: dvoytenko at google.com
The issue is demonstrated here: http://output.jsbin.com/likekal/quiet
The structure of the page is:
```
https://origin1
<html>
<iframe srcdoc="...">
#document
<iframe src="https://origin2"></iframe>
</iframe>
</html>
```
In other words, origin1 embeds origin2 iframe via intermediary srcdoc (friendly) iframe.
Origin2 explicitly allows embedding inside origin1 via CSP directive:
```
"Content-Security-Policy": "frame-ancestors https://origin1",
```
The demo embeds an origin2 iframe via srcdoc and via about:blank+document.write.
As the result, srcdoc embedding is not allowed due to CSP error. Error in console:
"Refused to load https://httpbin.org/response-headers?Content-Security-Policy=frame-ancestors%20http://output.jsbin.com because it does not appear in the frame-ancestors directive of the Content Security Policy."
However, weirdly enough, the embedding via about:blank+document.write works fine. And, interestingly, location.ancestorOrigins in the x-origin iframe returns correct `[origin1, origin1]`.
I believe srcdoc/x-origin should work per spec: https://w3c.github.io/webappsec-csp/#frame-ancestors-navigation-response. The srcdoc document should inherit its creator's origin, and that origin to do the comparison.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170929/39197588/attachment.html>
More information about the webkit-unassigned
mailing list