[Webkit-unassigned] [Bug 236624] New: Document.write into iframe with CSP sometimes blocks resources loads in inner iframe

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Feb 14 17:23:43 PST 2022 

https://bugs.webkit.org/show_bug.cgi?id=236624

            Bug ID: 236624
           Summary: Document.write into iframe with CSP sometimes blocks
                    resources loads in inner iframe
           Product: WebKit
           Version: Safari 15
          Hardware: Unspecified
                OS: macOS 12
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: DOM
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: matb at microsoft.com

Created attachment 451967

  --> https://bugs.webkit.org/attachment.cgi?id=451967&action=review

Simple repo with two html files

== Steps to reproduce the problem ==

1. On a page with a restrictive content security policy 
2. Embed a sandboxed, same origin iframe
3. On the parent page, use `setInterval` to check the ready state of the iframe. Once it is listed as `complete`, try using `document.write` to write a new html document into it. This new html document should have its own CSP and try to load content that would be allowed by that CSP but blocked by the parent page's

I've attached two simple html files that show this issue in action. To reproduce, start a simple local server in the folder and open `index.html`


== What is the expected behavior? == 
The new content of the inner iframe should load (it should load a picture of a cat with a red background)


== What went wrong? ==
Occasionally resources in the inner iframe will be blocked due to a CSP violation. This happens maybe 25% of the time for me. I can reproduce it even more reliably by reducing the `setInterval` timeout

The fact that the code sometimes works suggests to me that there is some sort of race.


== Does this work in other browsers? ==
This is also broken in Chrome (https://bugs.chromium.org/p/chromium/issues/detail?id=1297377). I can't test in Firefox because the entire scenario is blocked by https://bugzilla.mozilla.org/show_bug.cgi?id=1754872

== Other notes==
This example seems contrived, but is used in the VS Code codebase to work around https://bugs.webkit.org/show_bug.cgi?id=33604

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220215/5cb7c539/attachment.htm>

More information about the webkit-unassigned mailing list