- From: Adam Barth <w3c@adambarth.com>
- Date: Sat, 27 Apr 2013 07:11:13 -0700
- To: James Marshall <james@jmarshall.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Fri, Apr 26, 2013 at 5:28 PM, James Marshall <james@jmarshall.com> wrote: > If a frame or iframe is constructed with a "data:" URI, is that frame's > content governed by the CSP of the parent document? If not, then it > currently seems like a way to bypass CSP enforcement. > > For example, the HTML in this HTTP response, including the embedded alert(), > is rendered by both Firefox and Chrome: > > ============================= > HTTP/1.1 200 OK > Content-Security-Policy: default-src 'none' > Content-Type: text/html > > <html><body> > <p>Before iframe. > > <iframe > src="data:text/html;charset=utf-8;base64,PGh0bWw+PGJvZHk+PHA+YmVmb3JlIHNjcmlwdDxzY3JpcHQgdHlwZT0idGV4dC9qYXZhc2NyaXB0Ij5hbGVydCgnaW4gc2NyaXB0Jyk8L3NjcmlwdD48cD5hZnRlciBzY3JpcHQ8L2JvZHk+PC9odG1sPg=="></iframe> > > <p>After iframe. > > </body></html> > ============================= > > The data: URI decodes to "<html><body><p>before script<script > type="text/javascript">alert('in script')</script><p>after > script</body></html>" . > > Perhaps should the CSP's frame-src be required to contain 'unsafe-inline' > before rendering data: URIs in frame and iframe elements? The default-src 'none' directive will prevent this iframe from being loaded from a data URL. You'd need to explicitly whitelist data: in order for it to load. Which version of Chrome did you test with? (If you're testing in Firefox, you'll need to enable support for the standard Content-Security-Policy header via about:config I believe.) Adam
Received on Saturday, 27 April 2013 14:12:12 UTC