New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 834244 link

Starred by 2 users
Status: Assigned
Owner:
andypaicu@chromium.org
Last visit > 30 days ago
Cc:
mkwst@chromium.org
sindhu.chelamcherla@chromium.org
iclell...@chromium.org
creis@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 2
Type: Bug



Sign in to add a comment

Same-host <base href="..."> disallowed in sandboxed iframe with CSP base-uri 'self'

Project Member Reported by maxka@google.com, Apr 18 2018 
Chrome Version       : 66.0.3359.117
OS Version: Debian Rodete
URLs (if applicable) : https://jsfiddle.net/mjakfr2v/
Other browsers tested:
  Add OK or FAIL after other browsers where you have tested this issue:
     Safari: unknown
    Firefox: OK
    IE/Edge: OK

What steps will reproduce the problem?
<html>
 <body>
  <iframe sandbox="allow-scripts" src="https://policies.google.com/privacy/embedded"></iframe>
 </body>
</html>

https://policies.google.com/privacy/embedded page has CSP header:
content-security-policy: ... base-uri 'self'; ...

https://jsfiddle.net/mjakfr2v/

What is the expected result?

No error, base URL of the iframe set properly to https://policies.google.com

What happens instead of that?

Refused to set the document's base URI to 'https://policies.google.com/' because it violates the following Content Security Policy directive: "base-uri 'self'".

Base URL remains at https://policies.google.com/privacy

UserAgentString: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36

Comment 1 by vamshi.kommuri@chromium.org, Apr 18 2018

Labels: Needs-Triage-M66

Comment 2 by sindhu.chelamcherla@chromium.org, Apr 19 2018

Cc: sindhu.chelamcherla@chromium.org
Components: Internals>Sandbox>SiteIsolation
Labels: -Pri-3 Triaged-ET M-68 FoundIn-68 Target-68 OS-Mac OS-Windows Pri-2
Status: Untriaged (was: Unconfirmed)
Able to reproduce this issue on reported version 66.0.3359.117 and latest canary 68.0.3400.0 using Windows 10, Mac 10.13.3 and Ubuntu 14.04 using JSFiddle given in comment#0.

This issue is seen from M-60. Hence considering this issue as Non-Regression and marking as Untriaged.

Thanks!

Comment 3 by creis@chromium.org, Apr 19 2018

Cc: mkwst@chromium.org creis@chromium.org iclell...@chromium.org
Components: -Internals>Sandbox>SiteIsolation Blink>SecurityFeature
I can repro this bug with and without Site Isolation enabled, so I don't think that's the cause.

mkwst@ or iclelland@, would you be able to take a look from the CSP / iframe sandbox perspective?

Comment 4 by iclell...@chromium.org, Apr 23 2018 

Chrome certainly appears to be violating the spec here: Where https://w3c.github.io/webappsec-csp/#allow-base-for-document says that the base uri is to be compared against "document’s fallback base URL’s origin", Chrome is actually comparing it against the document's origin (which is opaque in this case)

Re: #4, Was this correct before M60, or has this bug always been present in the code?

Comment 5 by jochen@chromium.org, Apr 24 2018

Owner: andypaicu@chromium.org
Status: Assigned (was: Untriaged)

Sign in to add a comment