New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 779031 link

Starred by 1 user
Status: Fixed
Owner:
andypaicu@chromium.org
Last visit > 30 days ago
Closed: Feb 2018
Cc:
mkwst@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

Embedded Enforcement - nested iframe is not blocked when it does not respect the top level required CSP

Project Member Reported by andypaicu@chromium.org, Oct 27 2017 
What steps will reproduce the problem?
(1) Embed an iframe with a csp attribute to force it to implement a csp policy. Make sure the result of the src request has a CSP that subsumes the csp attribute value to make sure it's not blocked.

(2) Embed a nested iframe inside the first iframe that has a CSP that does not subsume the csp attribute

(3) The nested iframe is not blocked even though it should be according to spec (https://w3c.github.io/webappsec-csp/embedded/#required-csp)

What is the expected result?
The iframe should be blocked with an appropriate message

What happens instead?
The iframe is allowed to load even though its CSP does not subsume the required CSP

Comment 1 by est...@chromium.org, Nov 10 2017

Labels: Hotlist-EnamelAndFriendsFixIt

Comment 2 by est...@chromium.org, Feb 18 2018

Labels: -Hotlist-EnamelAndFriendsFixIt
Project Member

Comment 3 by bugdroid1@chromium.org, Feb 23 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f6d6211d3e7a8d6662ba7b807b56d0d56ea0d396

commit f6d6211d3e7a8d6662ba7b807b56d0d56ea0d396
Author: Andy Paicu <andypaicu@chromium.org>
Date: Fri Feb 23 11:33:44 2018

Implemented cascading of the RequiredCSP through nested contexts

An iframe that is inside another iframe that has as RequiredCSP should
respect that RequiredCSP.

Spec: https://w3c.github.io/webappsec-csp/embedded/#required-csp

Bug:  779031 
Change-Id: I9042d63a6d14f48fd3cf1caaccf22c5cd1aa6d7a
Reviewed-on: https://chromium-review.googlesource.com/924064
Reviewed-by: Mike West <mkwst@chromium.org>
Commit-Queue: Andy Paicu <andypaicu@chromium.org>
Cr-Commit-Position: refs/heads/master@{#538760}
[add] https://crrev.com/f6d6211d3e7a8d6662ba7b807b56d0d56ea0d396/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/embedded-enforcement/required-csp-header-cascade.html
[modify] https://crrev.com/f6d6211d3e7a8d6662ba7b807b56d0d56ea0d396/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/embedded-enforcement/required_csp-header.html
[modify] https://crrev.com/f6d6211d3e7a8d6662ba7b807b56d0d56ea0d396/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/embedded-enforcement/support/echo-required-csp.py
[modify] https://crrev.com/f6d6211d3e7a8d6662ba7b807b56d0d56ea0d396/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/embedded-enforcement/support/testharness-helper.sub.js
[modify] https://crrev.com/f6d6211d3e7a8d6662ba7b807b56d0d56ea0d396/third_party/WebKit/Source/core/dom/Document.cpp
[modify] https://crrev.com/f6d6211d3e7a8d6662ba7b807b56d0d56ea0d396/third_party/WebKit/Source/core/dom/Document.h
[modify] https://crrev.com/f6d6211d3e7a8d6662ba7b807b56d0d56ea0d396/third_party/WebKit/Source/core/exported/LocalFrameClientImpl.cpp
[modify] https://crrev.com/f6d6211d3e7a8d6662ba7b807b56d0d56ea0d396/third_party/WebKit/Source/core/exported/WebFrame.cpp
[modify] https://crrev.com/f6d6211d3e7a8d6662ba7b807b56d0d56ea0d396/third_party/WebKit/Source/core/frame/FrameOwner.h
[modify] https://crrev.com/f6d6211d3e7a8d6662ba7b807b56d0d56ea0d396/third_party/WebKit/Source/core/frame/RemoteFrameOwner.cpp
[modify] https://crrev.com/f6d6211d3e7a8d6662ba7b807b56d0d56ea0d396/third_party/WebKit/Source/core/frame/RemoteFrameOwner.h
[modify] https://crrev.com/f6d6211d3e7a8d6662ba7b807b56d0d56ea0d396/third_party/WebKit/Source/core/frame/WebLocalFrameImpl.cpp
[modify] https://crrev.com/f6d6211d3e7a8d6662ba7b807b56d0d56ea0d396/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
[modify] https://crrev.com/f6d6211d3e7a8d6662ba7b807b56d0d56ea0d396/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h
[modify] https://crrev.com/f6d6211d3e7a8d6662ba7b807b56d0d56ea0d396/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp
[modify] https://crrev.com/f6d6211d3e7a8d6662ba7b807b56d0d56ea0d396/third_party/WebKit/Source/core/html/HTMLFrameOwnerElement.h
[modify] https://crrev.com/f6d6211d3e7a8d6662ba7b807b56d0d56ea0d396/third_party/WebKit/Source/core/html/HTMLIFrameElement.cpp
[modify] https://crrev.com/f6d6211d3e7a8d6662ba7b807b56d0d56ea0d396/third_party/WebKit/Source/core/html/HTMLIFrameElement.h
[modify] https://crrev.com/f6d6211d3e7a8d6662ba7b807b56d0d56ea0d396/third_party/WebKit/Source/core/loader/DocumentLoader.cpp
[modify] https://crrev.com/f6d6211d3e7a8d6662ba7b807b56d0d56ea0d396/third_party/WebKit/Source/core/loader/DocumentLoader.h
[modify] https://crrev.com/f6d6211d3e7a8d6662ba7b807b56d0d56ea0d396/third_party/WebKit/Source/core/loader/FrameLoader.cpp

Comment 4 by andypaicu@chromium.org, Feb 23 2018

Status: Fixed (was: Assigned)

Sign in to add a comment