Re: CSP within frame constructed with "data:" URI?

On Fri, Apr 26, 2013 at 5:28 PM, James Marshall <> wrote:
> If a frame or iframe is constructed with a "data:" URI, is that frame's
> content governed by the CSP of the parent document?  If not, then it
> currently seems like a way to bypass CSP enforcement.
> For example, the HTML in this HTTP response, including the embedded alert(),
> is rendered by both Firefox and Chrome:
> =============================
> HTTP/1.1 200 OK
> Content-Security-Policy: default-src 'none'
> Content-Type: text/html
> <html><body>
> <p>Before iframe.
> <iframe
> src="data:text/html;charset=utf-8;base64,PGh0bWw+PGJvZHk+PHA+YmVmb3JlIHNjcmlwdDxzY3JpcHQgdHlwZT0idGV4dC9qYXZhc2NyaXB0Ij5hbGVydCgnaW4gc2NyaXB0Jyk8L3NjcmlwdD48cD5hZnRlciBzY3JpcHQ8L2JvZHk+PC9odG1sPg=="></iframe>
> <p>After iframe.
> </body></html>
> =============================
> The data: URI decodes to "<html><body><p>before script<script
> type="text/javascript">alert('in script')</script><p>after
> script</body></html>" .
> Perhaps should the CSP's frame-src be required to contain 'unsafe-inline'
> before rendering data: URIs in frame and iframe elements?

The default-src 'none' directive will prevent this iframe from being
loaded from a data URL.  You'd need to explicitly whitelist data: in
order for it to load.  Which version of Chrome did you test with?  (If
you're testing in Firefox, you'll need to enable support for the
standard Content-Security-Policy header via about:config I believe.)


Received on Saturday, 27 April 2013 14:12:12 UTC