Bug 223848
| Summary: | CSP: iframe with sandbox="allow-scripts" does not respect default-src 'self' policy | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Daniel <hi> |
| Component: | Frames | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | Major | CC: | bfulgham, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | Safari 14 | ||
| Hardware: | Mac (Intel) | ||
| OS: | macOS 10.15 | ||
| URL: | https://jsfiddle.net/4hLdygm9/1/ | ||
Daniel
I have an iframe defined as follows:
<iframe src="https://cloudflare-ipfs.com/ipfs/QmUiDhFZeFnJvHgxGbwPucT8kyZvAzBsFFA12vPNxfsP6u/" sandbox="allow-scripts" />
The embedded page contains a CSP meta tag:
<meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline';">
The page contains a script tag like this, which should be allowed by default-src 'self':
<script src="test.js"></script>
However, this error is thrown:
Refused to load https://cloudflare-ipfs.com/ipfs/QmPAQqymGn4GTNmfUqof2xtQNJU7GHRcvcvaPSJSzhNoTw/style.css because it appears in neither the style-src directive nor the default-src directive of the Content Security Policy.
If I add "allow-same-origin" to the iframe's sandbox attribute, the error goes away.
I've set up a working example here:
https://jsfiddle.net/4hLdygm9/1/
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Daniel
Apologies, the error being thrown is actually this one:
Refused to load https://cloudflare-ipfs.com/ipfs/QmUiDhFZeFnJvHgxGbwPucT8kyZvAzBsFFA12vPNxfsP6u/test.js because it appears in neither the script-src directive nor the default-src directive of the Content Security Policy.
Radar WebKit Bug Importer
<rdar://problem/76205075>
Smoley
Thanks for filing, I'm seeing this error on Safari 13.1.2 as well as TOT 14.2 using the provided test case.
Daniel
Randomly thought of this bug from a while back and it seems to be fixed on Safari Version 17.0 (19616.1.27.211.1)!