W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2013

CSP within frame constructed with "data:" URI?

From: James Marshall <james@jmarshall.com>
Date: Fri, 26 Apr 2013 17:28:24 -0700
Message-ID: <CAGEp=f0HeLksixL8Hq+TtYDbLXwE8YfVs7RBn++h37Bj1AKVOA@mail.gmail.com>
To: public-webappsec@w3.org
If a frame or iframe is constructed with a "data:" URI, is that frame's
content governed by the CSP of the parent document?  If not, then it
currently seems like a way to bypass CSP enforcement.

For example, the HTML in this HTTP response, including the embedded
alert(), is rendered by both Firefox and Chrome:

HTTP/1.1 200 OK
Content-Security-Policy: default-src 'none'
Content-Type: text/html

<p>Before iframe.


<p>After iframe.


The data: URI decodes to "<html><body><p>before script<script
type="text/javascript">alert('in script')</script><p>after
script</body></html>" .

Perhaps should the CSP's frame-src be required to contain 'unsafe-inline'
before rendering data: URIs in frame and iframe elements?

Thanks again,
Received on Saturday, 27 April 2013 00:28:51 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:32 UTC