New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 866249 link

Starred by 1 user
Status: Assigned
Owner:
mkwst@chromium.org
Buried. Ping if important.
Cc:
vamshi.kommuri@chromium.org
andypaicu@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug



Sign in to add a comment

frame-src Content Security Policy can't prevent iframe with srcdoc attribute

Reported by jsh.mi...@gmail.com, Jul 21 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36

Steps to reproduce the problem:
1. Set Content Security Policy of browser with the following: 'frame-src https://www.youtube.com/embed/ https://player.vimeo.com https://*.soundcloud.com https://soundcloud.com https://*.twitter.com https://*.facebook.com https://www.instagram.com https://imgur.com;'
2. add the following to a page: <iframe src='data:text/html;charset=utf-8,%3Chtml%3E%3Cbody%3Efoo%3C/body%3E%3C/html%3E'></iframe>
3. add the following to the same page: <iframe srcdoc='anything'></iframe>
4. load the page
5. the iframe with the 'src' attribute is blocked from loading.  The iframe with the 'srcdoc' attribute loads.

What is the expected behavior?
The iframe with the srcdoc attribute shouldn't load.

What went wrong?
The iframe with the srcdoc attribute loaded.

Did this work before? No 

Does this work in other browsers? N/A

Chrome version: 67.0.3396.87  Channel: n/a
OS Version: OS X 10.11.5
Flash Version:

Comment 1 by krajshree@chromium.org, Jul 22

Labels: Needs-Triage-M67

Comment 2 by tkent@chromium.org, Jul 22

Components: -Blink>HTML Blink>SecurityFeature

Comment 3 by vamshi.kommuri@chromium.org, Jul 24

Cc: vamshi.kommuri@chromium.org
Labels: Needs-Feedback Triaged-ET
Thanks for filing the issue!

@Reporter: Could you please share a sample test file with the conditions mentioned in comment#0, which helps us to triage the issue further in a better way. Any further inputs from your end may be helpful.

Comment 4 by mkwst@chromium.org, Jul 24

Cc: andypaicu@chromium.org
Owner: mkwst@chromium.org
Status: Assigned (was: Unconfirmed)
We end up treating the `srcdoc` frame as more or less an extension of the parent, as it doesn't fetch any data. It inherits the same origin and same constraints. Firefox has made the same decision here.

What's the additional risk we're creating by doing so?

Comment 5 by jsh.mi...@gmail.com, Jul 25 

Feel free to correct me if I'm wrong in any of my points, but my take is that the Content Security Policy is meant to mitigate risk of XSS.  If someone were able to somehow add an iframe to a page with a srcdoc attribute, they could potentially run JS that could exploit the Meltdown/Spectre vulnerabilities.  Seems to just be a reasonable method of ensuring no iframes can be included in a page at all if I don't plan on ever allowing them.  I know that the new Chrome update should preclude the Meltdown and Spectre vulnerabilities from running successfully, but you never know what could come in the future.


Here's a running example pitting iframes with src vs srcdoc against each other (my site, which is similar to JSFiddle/Codepen):
https://www.formofgood.com/post/iframe-testing/edit

Sign in to add a comment