Bug 272680
| Summary: | CSP *.origin does not work correctly in sandboxed frames | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | jannis.rautenstrauch |
| Component: | Frames | Assignee: | Matthew Finkel <m_finkel> |
| Status: | NEW | ||
| Severity: | Normal | CC: | bfulgham, karlcow, me, webkit-bug-importer, wilander |
| Priority: | P2 | Keywords: | BrowserCompat, InRadar |
| Version: | Safari 17 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
jannis.rautenstrauch
In sandboxed iframes a CSP of `*.origin` does not match `sub.origin` even though it should?.
- The following URL frames a sandboxed IFrame with CSP `script-src *.headers.websec.saarland`: http://sub.headers.websec.saarland/_hp/tests/script-execution-csp.sub.html?resp_type=basic&browser_id=1&label=CSP-SCRIPT&first_id=98&last_id=98&scheme=http&t_resp_id=98&t_element_relation=execution_sandbox&t_resp_origin=http://headers.webappsec.eu
- The frame tries to load a script from `sub.headers.websec.saarland`
- Loading is blocked by the CSP: no message is received
- In Firefox and Chromium the script loads, a message is received
Probably related: https://bugs.webkit.org/show_bug.cgi?id=272674
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
John Wilander
I'll import this manually because the importer is taking too much time.
John Wilander
<rdar://126494156>