Bug 223848

Summary: CSP: iframe with sandbox="allow-scripts" does not respect default-src 'self' policy
Product: WebKit Reporter: Daniel <hi>
Component: FramesAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Major CC: bfulgham, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: Safari 14   
Hardware: Mac (Intel)   
OS: macOS 10.15   
URL: https://jsfiddle.net/4hLdygm9/1/

Description Daniel 2021-03-27 21:30:23 PDT 
I have an iframe defined as follows:

<iframe src="https://cloudflare-ipfs.com/ipfs/QmUiDhFZeFnJvHgxGbwPucT8kyZvAzBsFFA12vPNxfsP6u/" sandbox="allow-scripts" />

The embedded page contains a CSP meta tag:

<meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline';">

The page contains a script tag like this, which should be allowed by default-src 'self':

<script src="test.js"></script>

However, this error is thrown:
Refused to load https://cloudflare-ipfs.com/ipfs/QmPAQqymGn4GTNmfUqof2xtQNJU7GHRcvcvaPSJSzhNoTw/style.css because it appears in neither the style-src directive nor the default-src directive of the Content Security Policy.

If I add "allow-same-origin" to the iframe's sandbox attribute, the error goes away.

I've set up a working example here:
https://jsfiddle.net/4hLdygm9/1/
Comment 1 Daniel 2021-03-27 21:31:54 PDT 
Apologies, the error being thrown is actually this one:

Refused to load https://cloudflare-ipfs.com/ipfs/QmUiDhFZeFnJvHgxGbwPucT8kyZvAzBsFFA12vPNxfsP6u/test.js because it appears in neither the script-src directive nor the default-src directive of the Content Security Policy.
Comment 2 Radar WebKit Bug Importer 2021-04-04 21:23:01 PDT 
<rdar://problem/76205075>
Comment 3 Smoley 2021-04-07 17:06:45 PDT 
Thanks for filing, I'm seeing this error on Safari 13.1.2 as well as TOT 14.2 using the provided test case.
Comment 4 Daniel 2023-10-06 06:06:14 PDT 
Randomly thought of this bug from a while back and it seems to be fixed on Safari Version 17.0 (19616.1.27.211.1)!