Issue metadata
Sign in to add a comment
|
Security: CSP child-src 'none' allows JavaScript URIs
Reported by
antonio....@gmail.com,
Jan 6 2017
|
||||||||||||||||||||||
Issue descriptionThere in issue with Google Chrome CSP evaluation of child-src and javascript: pseudo URI. Instant demo http://asanso.github.io/csp-nonce/iframe.html
,
Jan 9 2017
Mike, could you please take a look?
,
Jan 9 2017
We gate navigation to `javascript:` (both via `<iframe>`/`<frame>` and via `<a>`) on `script-src`, as the code execution happens in the current document (see https://w3c.github.io/webappsec-csp/#script-src-inline in CSP, which is called from https://w3c.github.io/webappsec-csp/#should-block-navigation-request, which is called from HTML's navigation algorithm in step ~12 of https://html.spec.whatwg.org/#navigate; it's convoluted, but I think it's accurate). I can see how you might expect `child-src` to gate these kinds of executions, but that's not the route we've taken in CSP. If you'd like to spark a deeper discussion about whether we're doing the right thing, I'd suggest filing a bug against the spec at https://github.com/w3c/webappsec-csp/issues/. Happy to chat about things there.
,
Jan 9 2017
@mike thanks a lot for clarifications. I probably got confused by the presence of 'unsafe-inline' in the documentation (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/child-src). BTW hasn't this already discussed in https://github.com/w3c/webappsec-csp/issues/127 ?
,
Apr 17 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Jan 6 2017Summary: Security: CSP child-src 'none' allows JavaScript URIs (was: Security: Issue with Google Chrome CSP evaluation of child-src)