Re: CSP 1.1 frameancestors and blobs

+public-webappsec

`srcdoc` inherits the origin of the framing doc completely. I'm not sure
that we describe that well in the spec, but I think a `srcdoc` iframe
inside `https://example.com` should match `frame-ancestors example.com`.

Blob, on the other hand, only matches if the `blob:` scheme is whitelisted
(see
https://w3c.github.io/webappsec/specs/content-security-policy/#source-list-guid-matching
).

That's how I imagine these cases working. If the spec doesn't make that
clear, we should update the spec.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)


On Thu, Jul 3, 2014 at 12:41 AM, Sid Stamm <sid@mozilla.com> wrote:

> Hey guys,
>
> We came across an interesting bug when fixing edge cases in
> frame-ancestors for CSP 1.1.
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=1033675
> via:
> https://bugzilla.mozilla.org/show_bug.cgi?id=1031658#c10
>
> We're not exactly sure what to do when traversing the ancestry and
> encountering a srcdoc or blob.  Since they could inherit origin of their
> parent, yet have a document URL that doesn't match scheme/host/port of
> the parent, we're not sure what to use.
>
> The working draft suggests using the document URI, but I'm not sure
> that's right (and if it is, we should clarify in the spec since these
> are weird cases).  What do you think?
>
>
> https://w3c.github.io/webappsec/specs/content-security-policy/#directive-frame-ancestors
>
> -Sid
>

Received on Thursday, 3 July 2014 06:07:43 UTC