CSP sandbox header prevents site from saving credentials
Reported by
anto...@gmail.com,
Feb 27 2018
|
|||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0 Steps to reproduce the problem: 1. open a site with CSP 'sandbox' 2. submit the login form 3. it should prompt to save the password What is the expected behavior? I would expect it to ask to save the username and password. What went wrong? It doesn't ask to save the login. It doesn't put the key icon in the address bar. Did this work before? N/A Chrome version: Version 64.0.3282.186 (Official Build) (64-bit) Channel: stable OS Version: 10.0 Flash Version: Simple POC is achieveable with a vanilla plain HTML form, served with Content-Security-Policy: default-src 'self'; img-src 'self' data:; sandbox allow-scripts allow-forms; Removing the sandbox allows it to work. This works on Firefox 57.
,
Feb 27 2018
,
Feb 27 2018
a sandbox header (similar to <iframe sandbox>) will make the origin "unique" (similar to an about:blank iframe). For the purpose of e.g. cookies, we'll still use the original origin. I think the password manager should do the same. Not sure whether there's an existing pw mgr issue about handling unique origins, so asinging to the current pw mgr triage rotation contact.
,
Mar 14 2018
Issue 821636 has been merged into this issue.
,
Mar 14 2018
,
Mar 14 2018
Jochen, I tried CSP 'sandbox' and I can't read cookies because 'allow-same-origin' is missed. Does it mean that it works as intended?
,
Mar 23 2018
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 by elawrence@chromium.org
, Feb 27 2018Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug