223848 2021-03-27 21:30:23 -0700 CSP: iframe with sandbox="allow-scripts" does not respect default-src 'self' policy 2023-10-06 06:06:23 -0700 1 1 1 Unclassified WebKit Frames Safari 14 Mac (Intel) macOS 10.15 RESOLVED FIXED https://jsfiddle.net/4hLdygm9/1/ InRadar P2 Major --- 1 hi webkit-unassigned bfulgham webkit-bug-importer oldest_to_newest 1744586 0 hi 2021-03-27 21:30:23 -0700 I have an iframe defined as follows: <iframe src="https://cloudflare-ipfs.com/ipfs/QmUiDhFZeFnJvHgxGbwPucT8kyZvAzBsFFA12vPNxfsP6u/" sandbox="allow-scripts" /> The embedded page contains a CSP meta tag: <meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline';"> The page contains a script tag like this, which should be allowed by default-src 'self': <script src="test.js"></script> However, this error is thrown: Refused to load https://cloudflare-ipfs.com/ipfs/QmPAQqymGn4GTNmfUqof2xtQNJU7GHRcvcvaPSJSzhNoTw/style.css because it appears in neither the style-src directive nor the default-src directive of the Content Security Policy. If I add "allow-same-origin" to the iframe's sandbox attribute, the error goes away. I've set up a working example here: https://jsfiddle.net/4hLdygm9/1/ 1744587 1 hi 2021-03-27 21:31:54 -0700 Apologies, the error being thrown is actually this one: Refused to load https://cloudflare-ipfs.com/ipfs/QmUiDhFZeFnJvHgxGbwPucT8kyZvAzBsFFA12vPNxfsP6u/test.js because it appears in neither the script-src directive nor the default-src directive of the Content Security Policy. 1746892 2 webkit-bug-importer 2021-04-04 21:23:01 -0700 <rdar://problem/76205075> 1748160 3 smoley 2021-04-07 17:06:45 -0700 Thanks for filing, I'm seeing this error on Safari 13.1.2 as well as TOT 14.2 using the provided test case. 1983186 4 hi 2023-10-06 06:06:14 -0700 Randomly thought of this bug from a while back and it seems to be fixed on Safari Version 17.0 (19616.1.27.211.1)!