Bug 271377

Summary: Frame-Ancestors directive not supported in Content-Security-Policy-Report-Only Mode
Product: WebKit Reporter: jannis.rautenstrauch
Component: FramesAssignee: Nobody <webkit-unassigned>
Status: NEW    
Severity: Normal CC: cdumez, karlcow, mike, webkit-bug-importer, wilander
Priority: P2 Keywords: BrowserCompat, InRadar, WPTImpact
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=251889
https://bugs.webkit.org/show_bug.cgi?id=247626
https://bugs.webkit.org/show_bug.cgi?id=207563

jannis.rautenstrauch
Reported 2024-03-21 05:34:37 PDT
Framing a page that sets a `Content-Security-Policy-Report-Only: frame-ancestors 'none'` header results in the following error message: "The Content Security Policy directive 'frame-ancestors' is ignored when delivered in a report-only policy." in Safari only. In Chromium and Firefox, a report is generated. The following two WPT tests already test for this behavior and it would be great for compatibility if WebKit also would report the violation here. - https://wpt.fyi/results/content-security-policy/frame-ancestors/report-only-frame.sub.html?label=master&label=experimental&aligned&q=frame-ancestors - https://wpt.fyi/results/content-security-policy/reporting/report-frame-ancestors-with-x-frame-options.sub.html?label=master&label=experimental&aligned&q=frame-ancestors
Attachments
Add attachment proposed patch, testcase, etc.
Karl Dubost
Comment 1 2024-03-21 20:12:12 PDT
The first test http://wpt.live/content-security-policy/frame-ancestors/report-only-frame.sub.html fails with (No asserts ran) undefined is not an object (evaluating 'data[0]["body"]') only in Safari The second test fails http://wpt.live/content-security-policy/reporting/report-frame-ancestors-with-x-frame-options.sub.html fails with (No asserts ran) Safari: undefined is not an object (evaluating 'data[0]["body"]') Firefox: can't access property "body", data[0] is undefined
Radar WebKit Bug Importer
Comment 2 2024-03-21 20:12:28 PDT
<rdar://problem/125210248>
jannis.rautenstrauch
Comment 3 2024-03-22 00:41:12 PDT
The second test failing in Firefox is not due to the feature the test wants to test but due to the fact that a download is triggered in Firefox only: https://github.com/web-platform-tests/wpt/issues/45249
Note You need to log in before you can comment on or make changes to this bug.