New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 742485 link

Starred by 2 users
Status: Assigned
Owner:
andypaicu@chromium.org
Last visit > 30 days ago
Cc:
mkwst@chromium.org
hdodda@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug



Sign in to add a comment

Content-Security-Policy frame-ancestors report should include referrer

Reported by ja...@tarka.ca, Jul 13 2017 
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36

Steps to reproduce the problem:
1. Create a web page that contains a iframe containing another page
2. Add a header to the iframed page: "Content-Security-Policy: frame-ancestors 'none'; report-uri /csp/report;"
3. Load the parent page in Chrome, and observe the network log
4. Expand the details of the "report" request

What is the expected behavior?
`csp-report.referrer` should be set to the URL or host of the ancestor page that violates the content-security-policy

What went wrong?
`csp-report.referrer` is an empty string

Note: The same behaviour occurs with "Content-Security-Policy-Report-Only"

Did this work before? N/A 

Does this work in other browsers? Yes

Chrome version: 59.0.3071.115  Channel: stable
OS Version: 10.0
Flash Version: 

We are trying to find out where our pages are being embedded, and determine which are legitimate, so we can set a proper `frame-ancestors` directive.

Without the referrer it is impossible to learn where pages are being embedded. Changing CSP from report-only to enforced may cause undesired pages to be blocked, or one may avoid enforcing CSP altogether for fear of breaking something.
CSP frame-ancestors.zip
1013 bytes Download

Comment 1 by hdodda@chromium.org, Jul 24 2017

Cc: hdodda@chromium.org
Labels: Needs-Feedback
We tried running the python server from local host and open the files provided.. but files are downloaded on click ..Attached screenshot .

@jason-- Could you please provide us the html file where issue is reproduced , so that would help us in triaging the issue better.

Thanks!
742485.png
21.8 KB View Download

Comment 2 by ranjitkan@chromium.org, Jul 26 2017

Labels: Needs-Milestone

Comment 3 by slokunsh...@gmail.com, Jul 26 2017 

They're PHP scripts, not Python. I can try writing something in Python if need be, but the only part that needs scripting is adding the HTTP header.

As for a plain HTML file, unfortunately I can't do that. While `Content-Security-Policy` can be set in a <meta> element, the `frame-ancestors` and `report-uri` directives cannot, nor can the `Content-Security-Policy-Report-Only` header.

I've attached a couple of HTML files, but you can only use them if you modify your web server's config to add `Content-Security-Policy: frame-ancestors none; report-uri /report;` to the list of headers on all requests. You would need to look at the page's network traffic to see the report going out.
CSP html - needs server to send header.zip
434 bytes Download

Comment 4 by jochen@chromium.org, Oct 5 2017

Cc: mkwst@chromium.org
Components: -Blink>SecurityFeature Blink>SecurityFeature>ContentSecurityPolicy
Owner: andypaicu@chromium.org

Comment 5 by mkwst@chromium.org, Oct 5 2017 

This matches the specced behavior (we pass in a global object of `null` in 2.1.2 of https://w3c.github.io/webappsec-csp/#should-block-navigation-response, but I agree that there's little risk in exposing the same referrer that went out on the HTTP request for the framed document (e.g. we'd need to ensure that we tracked the parent document's referrer policy when generating the violation).

Andy, perhaps you could poke at the spec too?

Comment 6 by jochen@chromium.org, Oct 5 2017

Status: Assigned (was: Unconfirmed)

Comment 7 by est...@chromium.org, Nov 10 2017

Labels: Hotlist-EnamelAndFriendsFixIt

Comment 8 by est...@chromium.org, Feb 18 2018

Labels: -Hotlist-EnamelAndFriendsFixIt

Sign in to add a comment