236624 2022-02-14 17:23:43 -0800 Document.write into iframe with CSP sometimes blocks resources loads in inner iframe 2022-02-23 13:58:50 -0800 1 1 1 Unclassified WebKit DOM Safari 15 Unspecified macOS 12 NEW InRadar P2 Normal --- 1 matb webkit-unassigned achristensen bfulgham cdumez katherine_cheney pgriffis webkit-bug-importer oldest_to_newest 1841495 0 451967 matb 2022-02-14 17:23:43 -0800 Created attachment 451967 Simple repo with two html files == Steps to reproduce the problem == 1. On a page with a restrictive content security policy 2. Embed a sandboxed, same origin iframe 3. On the parent page, use `setInterval` to check the ready state of the iframe. Once it is listed as `complete`, try using `document.write` to write a new html document into it. This new html document should have its own CSP and try to load content that would be allowed by that CSP but blocked by the parent page's I've attached two simple html files that show this issue in action. To reproduce, start a simple local server in the folder and open `index.html` == What is the expected behavior? == The new content of the inner iframe should load (it should load a picture of a cat with a red background) == What went wrong? == Occasionally resources in the inner iframe will be blocked due to a CSP violation. This happens maybe 25% of the time for me. I can reproduce it even more reliably by reducing the `setInterval` timeout The fact that the code sometimes works suggests to me that there is some sort of race. == Does this work in other browsers? == This is also broken in Chrome (https://bugs.chromium.org/p/chromium/issues/detail?id=1297377). I can't test in Firefox because the entire scenario is blocked by https://bugzilla.mozilla.org/show_bug.cgi?id=1754872 == Other notes== This example seems contrived, but is used in the VS Code codebase to work around https://bugs.webkit.org/show_bug.cgi?id=33604 1841557 1 webkit-bug-importer 2022-02-14 19:57:02 -0800 <rdar://problem/88943548> 1845304 2 matb 2022-02-23 13:58:50 -0800 Over on Chrome, we determined this is likely by-design (although quite confusing): https://bugs.chromium.org/p/chromium/issues/detail?id=1297377 The issue with the polling here is that the iframe document may still be on `about:blank` when the ready state is first checked. This results in the new content written into the document inheriting the parent page's CSP instead of providing its own To fix this, I added a check to our code to make sure we are checking the ready state of the expected page instead of `about:blank` 451967 2022-02-14 17:23:43 -0800 2022-02-14 17:23:43 -0800 Simple repo with two html files example.zip application/zip 1359 matb UEsDBBQAAAAAAGdnSlQAAAAAAAAAAAAAAAAIACAAZXhhbXBsZS9VVA0AB6J8BWK/fAViAIEFYnV4 CwABBPUBAAAEFAAAAFBLAwQUAAgACADpiE5UAAAAAAAAAACkBgAAEgAgAGV4YW1wbGUvaW5kZXgu aHRtbFVUDQAHxvwKYsf8CmLG/ApidXgLAAEE9QEAAAQUAAAAjVXRTtswFH3PV5i8tJVI3fKAEE0q DegkXsakgdg0TcJ1bhNvrp3ZTkuF+PddJ2nXpoHNL8m1j0/uPb7HiU9u7q7vv32ekdwt5TSI/YNI prIkBBVOA5wBlk4DgiNegmOE58xYcEn4cP8xugj3l3Lnigh+l2KVhF+jhw/RtV4WzIm5hJBwrRwo 3Hc7SyDN4M2dDTCywEsj3CYqtBR8E1ZwP3ZMKSxYKRFpOOkpraA3IQvDllDPWJALnLHciKIBlcqy BURCSVGhrdtI2N9/kJVCqiRcCVgX2ri9EtYidXmSwkpwiKrglAglnGAyspxJSMbD0ZbKCSdheqN5 ucTNMa3jIKa1skE81+kGnxU4H0/vSgcGV8fbOVHVROqPhhejUUhyEFnumsAylc71cxIyKfU6sl4A bUQmFK4ZnoRDasv50B9tOI1pTbclr9WZ7otrHWk+mZC0SXuYgZtJ8K/2anPPsk+43u/VuN7g++jH JGhzoFgGKbBZbv3risl+f0CSKXnZIf0QC9KveYaNwFuthgYV2nxxzAE5SRLS49hPEhx+sMXhhwFX GjU5mH89iA4CLoGZXWJVsoO9Gv7W0UoKK+rOdtLee1CKLkD1B+9j1tju0H+KW6ZsF3pk0mPAzrNH S297uBv6P85835FimVWxZ7KXbc+hgRhjO+MdJVGhSQVMeh7ZjfPD+4i8kDnjvzKjS5VeYk+kk1YT 7JhpRd2hHu2Wr/FpJxea9VYpbPdH1AWl2LPvERb12Hr5vLKvt2gtDqUFOGvAXzdgsMGWdF1Ejbq0 LKRmqaVno7MRHY/pIwiTRtfMRVeQs5XQxkaz50IyvNvS6DwaD38WWVd70O5KMGnfb0//6FIutYX9 Vn49JePRYEIoJSlw9KwF4nJhvbM3uiTMAPH5qYw4PBf8G+C5FEanJfdzQXMazUUUbNMLmnz+AFBL BwhDKZWPvwIAAKQGAABQSwMEFAAIAAgAtGlKVAAAAAAAAAAAfgAAABAAIABleGFtcGxlL3N1Yi5o dG1sVVQNAAcFgAViBYAFYgWABWJ1eAsAAQT1AQAABBQAAACzUXTxdw6JDHBVyCjJzbHjsgFRCjmJ eem2Sql5SiCB1MQUOy4FILApySzJSbVzyU8uzU3NK7HRh/C5bPQhamyS8lMqoUozDO088/JSixTy izLTM/MSc4CKDEFKIWqAPJB1AFBLBwjQz5pbYgAAAH4AAABQSwECFAMUAAAAAABnZ0pUAAAAAAAA AAAAAAAACAAgAAAAAAAAAAAA7UEAAAAAZXhhbXBsZS9VVA0AB6J8BWK/fAViAIEFYnV4CwABBPUB AAAEFAAAAFBLAQIUAxQACAAIAOmITlRDKZWPvwIAAKQGAAASACAAAAAAAAAAAACkgUYAAABleGFt cGxlL2luZGV4Lmh0bWxVVA0AB8b8CmLH/ApixvwKYnV4CwABBPUBAAAEFAAAAFBLAQIUAxQACAAI ALRpSlTQz5pbYgAAAH4AAAAQACAAAAAAAAAAAACkgWUDAABleGFtcGxlL3N1Yi5odG1sVVQNAAcF gAViBYAFYgWABWJ1eAsAAQT1AQAABBQAAABQSwUGAAAAAAMAAwAUAQAAJQQAAAAA