W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2013

CSP within frame constructed with "data:" URI?

From: James Marshall <james@jmarshall.com>
Date: Fri, 26 Apr 2013 17:28:24 -0700
Message-ID: <CAGEp=f0HeLksixL8Hq+TtYDbLXwE8YfVs7RBn++h37Bj1AKVOA@mail.gmail.com>
To: public-webappsec@w3.org
If a frame or iframe is constructed with a "data:" URI, is that frame's
content governed by the CSP of the parent document?  If not, then it
currently seems like a way to bypass CSP enforcement.

For example, the HTML in this HTTP response, including the embedded
alert(), is rendered by both Firefox and Chrome:

=============================
HTTP/1.1 200 OK
Content-Security-Policy: default-src 'none'
Content-Type: text/html

<html><body>
<p>Before iframe.

<iframe
src="data:text/html;charset=utf-8;base64,PGh0bWw+PGJvZHk+PHA+YmVmb3JlIHNjcmlwdDxzY3JpcHQgdHlwZT0idGV4dC9qYXZhc2NyaXB0Ij5hbGVydCgnaW4gc2NyaXB0Jyk8L3NjcmlwdD48cD5hZnRlciBzY3JpcHQ8L2JvZHk+PC9odG1sPg=="></iframe>

<p>After iframe.

</body></html>
=============================

The data: URI decodes to "<html><body><p>before script<script
type="text/javascript">alert('in script')</script><p>after
script</body></html>" .

Perhaps should the CSP's frame-src be required to contain 'unsafe-inline'
before rendering data: URIs in frame and iframe elements?


Thanks again,
James
Received on Saturday, 27 April 2013 00:28:51 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC