W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

[CSP] How to interpret 'self' in a sandboxed iframe

From: Joel Weinberger <jww@chromium.org>
Date: Mon, 29 Dec 2014 17:23:55 -0800
Message-ID: <CAHQV2K=z7T5zv36yVHMvgKzmGbFyQG5CrbSEaEeXoFYhktCkGg@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
In Chrome, https://crbug.com/443444 was recently filed and points out that
Chrome acts inconsistently with IE and Firefox when it comes to 'self' and
resources in a sandbox. From the bug report:

"The web page in the attached attached archive attempts to frame HTML
documents that load external stylesheets.  There are four cases: the
stylesheet comes from the same or different source, and the iframe is
sandboxed or not.  All of the framed documents (and their stylesheets) are
served with CSPs that allow stylesheets from 'self' and the named different
source.  Since both stylesheet sources are permitted by the CSP, the
stylesheet is expected to load in all cases.

However, in the same-source, sandboxed case, Chrome refuses to load the
stylesheet, citing a CSP violation.  Firefox and the most recent Internet
Explorer builds do load the stylesheet in all cases."


We've gotten to the root of what Chrome's doing and, as the reporter (and
Brad Hill) suggests, Chrome is checking the the *unique origin* of the
sandbox against 'self', rather than checking if it's the same, "scheme,
host, and port as the protected resource’s URL" (
https://w3c.github.io/webappsec/specs/content-security-policy/#match-source-expression).
So this is definitely the difference in what Chrome's doing, and I even
uploaded a CL that potentially addresses at least part of the problem (
https://codereview.chromium.org/822483002/).

However, I'm not convinced that this is actually the right answer, and at
the very least, I want to make sure we consciously decide what user agents
should do in this case. I see two issues here:

   - It seems odd to me that 'self' is not checked against the origin, be
   against a URL. For most security decisions, shouldn't we be using origin,
   so that we're consistent in cases like this?
   - As abarth@chromium.org points out in a previous CL (
   https://codereview.chromium.org/150893004/), this non-origin definition
   presents problems for about:blank and srcdoc resources. It doesn't seem
   unreasonable to me to require that resources that are sandboxed explicitly
   whitelist the resources they want to access, rather than relying 'self'.

What are thoughts out there in CSP land?
--Joel
Received on Tuesday, 30 December 2014 01:24:22 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC