[Webkit-unassigned] [Bug 177671] New: CSP frame-ancestors works incorrectly when x-origin iframe is nested inside srcdoc iframe

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Sep 29 10:49:04 PDT 2017 

https://bugs.webkit.org/show_bug.cgi?id=177671

            Bug ID: 177671
           Summary: CSP frame-ancestors works incorrectly when x-origin
                    iframe is nested inside srcdoc iframe
           Product: WebKit
           Version: Safari Technology Preview
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Frames
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: dvoytenko at google.com

The issue is demonstrated here: http://output.jsbin.com/likekal/quiet

The structure of the page is:

```
https://origin1
<html>
  <iframe srcdoc="...">
    #document
      <iframe src="https://origin2"></iframe>
  </iframe>
</html>
```

In other words, origin1 embeds origin2 iframe via intermediary srcdoc (friendly) iframe.

Origin2 explicitly allows embedding inside origin1 via CSP directive:
```
"Content-Security-Policy": "frame-ancestors https://origin1", 
```

The demo embeds an origin2 iframe via srcdoc and via about:blank+document.write.

As the result, srcdoc embedding is not allowed due to CSP error. Error in console:

"Refused to load https://httpbin.org/response-headers?Content-Security-Policy=frame-ancestors%20http://output.jsbin.com because it does not appear in the frame-ancestors directive of the Content Security Policy."

However, weirdly enough, the embedding via about:blank+document.write works fine. And, interestingly, location.ancestorOrigins in the x-origin iframe returns correct `[origin1, origin1]`.

I believe srcdoc/x-origin should work per spec: https://w3c.github.io/webappsec-csp/#frame-ancestors-navigation-response. The srcdoc document should inherit its creator's origin, and that origin to do the comparison.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170929/39197588/attachment.html>

More information about the webkit-unassigned mailing list