RESOLVED FIXED 260284
Incorrect Sec-Fetch-Site values on sandboxed iframes 
https://bugs.webkit.org/show_bug.cgi?id=260284
Summary Incorrect Sec-Fetch-Site values on sandboxed iframes
Jerry Zhang
Reported 2023-08-16 13:06:27 PDT
The Sec-Fetch-Site header is supposed to reflect the relationship between the origin of request's initiator and the origin of it's target. (https://w3c.github.io/webappsec-fetch-metadata/#sec-fetch-site-header) However, the current behavior seems to be incorrect for sandboxed iframes where a same-origin url will result in a Sec-Fetch-Site header with value "cross-site". i.e. Reproduction steps: Visit https://polar-purrfect-pangolin.glitch.me/sandboxediframe.html which contains: <iframe src="https://polar-purrfect-pangolin.glitch.me/" sandbox></iframe> Expected behavior: The Sec-Fetch-Site header of the sandboxed iframe request has value "same-origin" Actual behavior: The Sec-Fetch-Site header of the sandboxed iframe request has value "cross-site" https://bugs.webkit.org/show_bug.cgi?id=256472 may be related.
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2023-08-23 13:07:16 PDT
<rdar://problem/114340186>
Vincent Lee
Comment 2 2024-05-31 10:20:24 PDT
Hi, what's the status on this? We'd love to roll out serverside security checks for Safari based on the Sec-Fetch headers, but Sec-Fetch-Site not being correct is giving us pause. We've rolled out on all other browsers, so only Safari is left. This appears to still be a bug in Safari 17.5
Vincent Lee
Comment 3 2024-05-31 10:31:35 PDT
Actually, on further reading of the spec, I'm Chrome and FF might be the ones with the bug here. Sandboxing an iframe without `allow-same-origin` means the origin becomes opaque, and if I'm reading the language correctly for Sec-Fetch-Site, the algorithm for setting the header asserts that the request is from a "potentially trustworthy origin", which an opaque origin is not.
youenn fablet
Comment 4 2024-06-03 01:23:05 PDT
I think Chrome and FF are correct here. The env origin is the top level frame.
youenn fablet
Comment 5 2024-06-03 02:31:11 PDT
Pull request: https://github.com/WebKit/WebKit/pull/29450
EWS
Comment 6 2024-06-16 23:37:57 PDT
Committed 280065@main (deeefb52b7fd): <https://commits.webkit.org/280065@main> Reviewed commits have been landed. Closing PR #29450 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.