260284 2023-08-16 13:06:27 -0700 Incorrect Sec-Fetch-Site values on sandboxed iframes 2024-06-16 23:38:00 -0700 1 1 1 Unclassified WebKit Frames Safari 16 Unspecified Unspecified RESOLVED FIXED https://bugs.webkit.org/show_bug.cgi?id=256472 InRadar P2 Normal --- 1 jerryzz youennf achristensen annevk bfulgham cdumez jerryzz pgriffis vincentlee webkit-bug-importer wilander youennf oldest_to_newest 1971573 0 jerryzz 2023-08-16 13:06:27 -0700 The Sec-Fetch-Site header is supposed to reflect the relationship between the origin of request's initiator and the origin of it's target. (https://w3c.github.io/webappsec-fetch-metadata/#sec-fetch-site-header) However, the current behavior seems to be incorrect for sandboxed iframes where a same-origin url will result in a Sec-Fetch-Site header with value "cross-site". i.e. Reproduction steps: Visit https://polar-purrfect-pangolin.glitch.me/sandboxediframe.html which contains: <iframe src="https://polar-purrfect-pangolin.glitch.me/" sandbox></iframe> Expected behavior: The Sec-Fetch-Site header of the sandboxed iframe request has value "same-origin" Actual behavior: The Sec-Fetch-Site header of the sandboxed iframe request has value "cross-site" https://bugs.webkit.org/show_bug.cgi?id=256472 may be related. 1973068 1 webkit-bug-importer 2023-08-23 13:07:16 -0700 <rdar://problem/114340186> 2039079 2 vincentlee 2024-05-31 10:20:24 -0700 Hi, what's the status on this? We'd love to roll out serverside security checks for Safari based on the Sec-Fetch headers, but Sec-Fetch-Site not being correct is giving us pause. We've rolled out on all other browsers, so only Safari is left. This appears to still be a bug in Safari 17.5 2039082 3 vincentlee 2024-05-31 10:31:35 -0700 Actually, on further reading of the spec, I'm Chrome and FF might be the ones with the bug here. Sandboxing an iframe without `allow-same-origin` means the origin becomes opaque, and if I'm reading the language correctly for Sec-Fetch-Site, the algorithm for setting the header asserts that the request is from a "potentially trustworthy origin", which an opaque origin is not. 2039375 4 youennf 2024-06-03 01:23:05 -0700 I think Chrome and FF are correct here. The env origin is the top level frame. 2039388 5 youennf 2024-06-03 02:31:11 -0700 Pull request: https://github.com/WebKit/WebKit/pull/29450 2041627 6 ews-feeder 2024-06-16 23:37:57 -0700 Committed 280065@main (deeefb52b7fd): <https://commits.webkit.org/280065@main> Reviewed commits have been landed. Closing PR #29450 and removing active labels.