WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
NEW
271377
Frame-Ancestors directive not supported in Content-Security-Policy-Report-Only Mode
https://bugs.webkit.org/show_bug.cgi?id=271377
Summary
Frame-Ancestors directive not supported in Content-Security-Policy-Report-Onl...
jannis.rautenstrauch
Reported
2024-03-21 05:34:37 PDT
Framing a page that sets a `Content-Security-Policy-Report-Only: frame-ancestors 'none'` header results in the following error message: "The Content Security Policy directive 'frame-ancestors' is ignored when delivered in a report-only policy." in Safari only. In Chromium and Firefox, a report is generated. The following two WPT tests already test for this behavior and it would be great for compatibility if WebKit also would report the violation here. -
https://wpt.fyi/results/content-security-policy/frame-ancestors/report-only-frame.sub.html?label=master&label=experimental&aligned&q=frame-ancestors
-
https://wpt.fyi/results/content-security-policy/reporting/report-frame-ancestors-with-x-frame-options.sub.html?label=master&label=experimental&aligned&q=frame-ancestors
Attachments
Add attachment
proposed patch, testcase, etc.
Karl Dubost
Comment 1
2024-03-21 20:12:12 PDT
The first test
http://wpt.live/content-security-policy/frame-ancestors/report-only-frame.sub.html
fails with (No asserts ran) undefined is not an object (evaluating 'data[0]["body"]') only in Safari The second test fails
http://wpt.live/content-security-policy/reporting/report-frame-ancestors-with-x-frame-options.sub.html
fails with (No asserts ran) Safari: undefined is not an object (evaluating 'data[0]["body"]') Firefox: can't access property "body", data[0] is undefined
Radar WebKit Bug Importer
Comment 2
2024-03-21 20:12:28 PDT
<
rdar://problem/125210248
>
jannis.rautenstrauch
Comment 3
2024-03-22 00:41:12 PDT
The second test failing in Firefox is not due to the feature the test wants to test but due to the fact that a download is triggered in Firefox only:
https://github.com/web-platform-tests/wpt/issues/45249
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug