New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 789845 link

Starred by 1 user
Status: Assigned
Owner:
mkwst@chromium.org
Buried. Ping if important.
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug



Sign in to add a comment

CSP style-src rule is not honored when a CSS resource is loaded from within <iframe src="data:text/html">

Reported by her...@appsolutemedia.com, Nov 30 2017 
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36

Steps to reproduce the problem:
1. Create a page with

<iframe src="data:text/html;..." />

where the data: includes

<link type="text/css" rel="stylesheet" href="{a CSS resource from same domain}">

2. Add the following header to response:

Content-Security-Policy: default-src 'self'; style-src 'self'; frame-src 'self' data:

3. Open the page in browser, the following message shows up in Console:

Refused to load the stylesheet '{the same-domain CSS resource}' because it violates the following Content Security Policy directive: "style-src 'self'".

What is the expected behavior?

What went wrong?
Loading the CSS resource is rejected, despite having it allowed by the CSP rule {style-src 'self'}.

Did this work before? N/A 

Does this work in other browsers? Yes

Chrome version: 62.0.3202.94  Channel: n/a
OS Version: 10.0
Flash Version: 

I tried playing with <iframe sandbox="allow-same-origin">, which according to MDN "Allows the content to be treated as being from its normal origin. If this keyword is not used, the embedded content is treated as being from a unique origin". But it seems to not affect the behavior.

Comment 1 by mkwst@chromium.org, Nov 30 2017

Components: -Blink>SecurityFeature Blink>SecurityFeature>ContentSecurityPolicy
Owner: mkwst@chromium.org
Status: Assigned (was: Unconfirmed)
For my own clarity, you're serving an HTML document (let's say `https://example.com/`) with the policy `default-src 'self'; style-src 'self'; frame-src 'self' data:`, and including a `data:` frame in that document?

In that case, we copy the parent page's policy down to the child frame and apply it there. In that case, `'self'` is no longer referring to `https://example.com/`, but to `data:...`, and therefore isn't going to match anything.

I'm pretty sure this matches the specced behavior. What would you expect it to do instead? (It might be worth opening a spec issue at <https://github.com/w3c/webappsec-csp/issues>).

Comment 2 by her...@appsolutemedia.com, Nov 30 2017 

In my understanding, if the parent's policy is copied to its child, the `self` should refer to the parent, not to `data:`, for the following reasons:

1) If you do propagate a policy down to children, they are obviously under the parent's control, so the policy, including the `self`, should have the same meaning as deemed by the parent. In contrast, if a child has its own policy, e.g. `src="third-party.com"`, the parent obviously has nothing to do with it, which gives birth to the child's `self`. In other words, the `self` represents the document that has declared the policy, not any other that happened to inherit it.

2) Both CSP header and `<iframe src="data:">` are managed by the document owner, so they are sharing the same context. You know what exactly the `data:` contains, so you reflect this in the CSP.

3) `self` being `data:` is not making much sense either. This forces all resources to be `data:` as well, not loaded from the parent's domain. In my case, the CSS has to be data-encoded, to be encoded again as part of the iframe's `data:`.

Sign in to add a comment