[Webkit-unassigned] [Bug 272680] New: CSP *.origin does not work correctly in sandboxed frames

Mon Apr 15 07:49:36 PDT 2024

https://bugs.webkit.org/show_bug.cgi?id=272680

            Bug ID: 272680
           Summary: CSP *.origin does not work correctly in sandboxed
                    frames
           Product: WebKit
           Version: Safari 17
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Frames
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: jannis.rautenstrauch at cispa.de

In sandboxed iframes a CSP of `*.origin` does not match `sub.origin` even though it should?.

- The following URL frames a sandboxed IFrame with CSP `script-src *.headers.websec.saarland`: http://sub.headers.websec.saarland/_hp/tests/script-execution-csp.sub.html?resp_type=basic&browser_id=1&label=CSP-SCRIPT&first_id=98&last_id=98&scheme=http&t_resp_id=98&t_element_relation=execution_sandbox&t_resp_origin=http://headers.webappsec.eu
- The frame tries to load a script from `sub.headers.websec.saarland`
- Loading is blocked by the CSP: no message is received
- In Firefox and Chromium the script loads, a message is received

Probably related: https://bugs.webkit.org/show_bug.cgi?id=272674

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240415/0283dec4/attachment.htm>