[Webkit-unassigned] [Bug 271377] New: Frame-Ancestors directive not supported in Content-Security-Policy-Report-Only Mode

Thu Mar 21 05:34:37 PDT 2024

https://bugs.webkit.org/show_bug.cgi?id=271377

            Bug ID: 271377
           Summary: Frame-Ancestors directive not supported in
                    Content-Security-Policy-Report-Only Mode
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Frames
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: jannis.rautenstrauch at cispa.de

Framing a page that sets a `Content-Security-Policy-Report-Only: frame-ancestors 'none'` header results in the following error message: "The Content Security Policy directive 'frame-ancestors' is ignored when delivered in a report-only policy." in Safari only. In Chromium and Firefox, a report is generated.

The following two WPT tests already test for this behavior and it would be great for compatibility if WebKit also would report the violation here.
- https://wpt.fyi/results/content-security-policy/frame-ancestors/report-only-frame.sub.html?label=master&label=experimental&aligned&q=frame-ancestors
- https://wpt.fyi/results/content-security-policy/reporting/report-frame-ancestors-with-x-frame-options.sub.html?label=master&label=experimental&aligned&q=frame-ancestors

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240321/526b269a/attachment-0001.htm>