[Webkit-unassigned] [Bug 223848] New: CSP: iframe with sandbox="allow-scripts" does not respect default-src 'self' policy
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sat Mar 27 21:30:23 PDT 2021
https://bugs.webkit.org/show_bug.cgi?id=223848
Bug ID: 223848
Summary: CSP: iframe with sandbox="allow-scripts" does not
respect default-src 'self' policy
Product: WebKit
Version: Safari 14
Hardware: Mac (Intel)
OS: macOS 10.15
Status: NEW
Severity: Major
Priority: P2
Component: Frames
Assignee: webkit-unassigned at lists.webkit.org
Reporter: hi at daniel-massey.com
I have an iframe defined as follows:
<iframe src="https://cloudflare-ipfs.com/ipfs/QmUiDhFZeFnJvHgxGbwPucT8kyZvAzBsFFA12vPNxfsP6u/" sandbox="allow-scripts" />
The embedded page contains a CSP meta tag:
<meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline';">
The page contains a script tag like this, which should be allowed by default-src 'self':
<script src="test.js"></script>
However, this error is thrown:
Refused to load https://cloudflare-ipfs.com/ipfs/QmPAQqymGn4GTNmfUqof2xtQNJU7GHRcvcvaPSJSzhNoTw/style.css because it appears in neither the style-src directive nor the default-src directive of the Content Security Policy.
If I add "allow-same-origin" to the iframe's sandbox attribute, the error goes away.
I've set up a working example here:
https://jsfiddle.net/4hLdygm9/1/
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210328/e4248e35/attachment.htm>
More information about the webkit-unassigned
mailing list