W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2015

Re: Programmatically declaring the CSP of an iframe

From: Conrad Irwin <conrad.irwin@gmail.com>
Date: Mon, 20 Jul 2015 22:09:58 -0700
Message-ID: <CAOTq_pvuKVjC51ZB_qWftDiDcLz_YJpmC3uHo-TzR08tp_grSQ@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Jul 20, 2015 at 9:31 PM, Mike West <mkwst@google.com> wrote:

> On Tue, Jul 21, 2015 at 12:37 AM, Conrad Irwin <conrad.irwin@gmail.com>
> wrote:
>> I looked into using the sandbox attribute [2], but it suffered from two
>> drawbacks:
>> a) I can't add event listeners to the contents of the iframe, which is
>> necessary for keyboard shortcuts. [3]
> Looks like a bug in Chrome rather than a bug with the feature. Does
> Firefox support this kind of work?

 It's also broken in Firefox.

> We're fixing this with a new `allow-popups-to-escape-sandbox` keyword (
> https://wiki.whatwg.org/index.php?title=Iframe_sandbox_improvments).
> Should be shipping in Chrome 46, though I haven't heard signals from other
> browser vendors (WDYT, Mozillians? Microsofties? :) )

Nice, this would be perfect.

>> So now I'm inserting a Content-Security-Policy using a meta tag on the
>> purified document.
> At the moment, that's how you'll need to apply a CSP to the page. One of
> the goals for CSP3 is to add a real API, but that's a little ways off.
>> I would love to be able to specify the Content-Security-Policy from the
>> parent document not the loaded document, as that feels cleaner. It would
>> also hopefully let me add CSP reports, and other features that are not
>> supported by meta-tag CSP policies.
> What would you like to do that you can't from <meta>?
I would like to get violation reports (so I get alerted if something sneaks
past DOMPurify), it looks like the only other two header-only values are
reflected-xss (which I imagine doesn't do anything in this scenario, so I
don't care about), and sandbox (which I can already set on the iframe) so
it'd just be that. To be honest, it's not a deal breaker, the reports would
just satisfy my curiosity.

The only other worry I have is that my Content-Security-Policy is
definitely applied. If someone were to send an email that also contained a
CSP (and somehow got it through DOMPurify), I'd want to make sure that my
header took effect still. When it's out of band I don't get nervous, but
in-band just seems more prone to issues.

Received on Tuesday, 21 July 2015 05:10:47 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:50 UTC