| Summary: | CSP: iframe with sandbox="allow-scripts" does not respect default-src 'self' policy | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Daniel <hi> |
| Component: | Frames | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | Major | CC: | bfulgham, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | Safari 14 | ||
| Hardware: | Mac (Intel) | ||
| OS: | macOS 10.15 | ||
| URL: | https://jsfiddle.net/4hLdygm9/1/ | ||
|
Description
Daniel
2021-03-27 21:30:23 PDT
Apologies, the error being thrown is actually this one: Refused to load https://cloudflare-ipfs.com/ipfs/QmUiDhFZeFnJvHgxGbwPucT8kyZvAzBsFFA12vPNxfsP6u/test.js because it appears in neither the script-src directive nor the default-src directive of the Content Security Policy. Thanks for filing, I'm seeing this error on Safari 13.1.2 as well as TOT 14.2 using the provided test case. Randomly thought of this bug from a while back and it seems to be fixed on Safari Version 17.0 (19616.1.27.211.1)! |