- From: James Marshall <james@jmarshall.com>
- Date: Sat, 27 Apr 2013 11:42:13 -0700
- To: Adam Barth <w3c@adambarth.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAGEp=f0iw98tBZzEoXYxYOP9re0A182qQ6TXLPAe3q_+FpPhbg@mail.gmail.com>
Ah, right, the scheme has to match. This looks like a false alarm all around-- I now see that Firefox only supports X-Content-Security-Policy: so far, and indeed, when I alter the HTTP response below to include that, the frame is correctly blocked. Also, I also see that CSP is in Chrome 25 and higher, so I need to upgrade (currently using 24). Thanks, James On Sat, Apr 27, 2013 at 7:11 AM, Adam Barth <w3c@adambarth.com> wrote: > On Fri, Apr 26, 2013 at 5:28 PM, James Marshall <james@jmarshall.com> > wrote: > > If a frame or iframe is constructed with a "data:" URI, is that frame's > > content governed by the CSP of the parent document? If not, then it > > currently seems like a way to bypass CSP enforcement. > > > > For example, the HTML in this HTTP response, including the embedded > alert(), > > is rendered by both Firefox and Chrome: > > > > ============================= > > HTTP/1.1 200 OK > > Content-Security-Policy: default-src 'none' > > Content-Type: text/html > > > > <html><body> > > <p>Before iframe. > > > > <iframe > > > src="data:text/html;charset=utf-8;base64,PGh0bWw+PGJvZHk+PHA+YmVmb3JlIHNjcmlwdDxzY3JpcHQgdHlwZT0idGV4dC9qYXZhc2NyaXB0Ij5hbGVydCgnaW4gc2NyaXB0Jyk8L3NjcmlwdD48cD5hZnRlciBzY3JpcHQ8L2JvZHk+PC9odG1sPg=="></iframe> > > > > <p>After iframe. > > > > </body></html> > > ============================= > > > > The data: URI decodes to "<html><body><p>before script<script > > type="text/javascript">alert('in script')</script><p>after > > script</body></html>" . > > > > Perhaps should the CSP's frame-src be required to contain 'unsafe-inline' > > before rendering data: URIs in frame and iframe elements? > > The default-src 'none' directive will prevent this iframe from being > loaded from a data URL. You'd need to explicitly whitelist data: in > order for it to load. Which version of Chrome did you test with? (If > you're testing in Firefox, you'll need to enable support for the > standard Content-Security-Policy header via about:config I believe.) > > Adam > >
Received on Saturday, 27 April 2013 18:42:41 UTC