NEW 271377
Frame-Ancestors directive not supported in Content-Security-Policy-Report-Only Mode
https://bugs.webkit.org/show_bug.cgi?id=271377
Summary Frame-Ancestors directive not supported in Content-Security-Policy-Report-Onl...
jannis.rautenstrauch
Reported 2024-03-21 05:34:37 PDT
Framing a page that sets a `Content-Security-Policy-Report-Only: frame-ancestors 'none'` header results in the following error message: "The Content Security Policy directive 'frame-ancestors' is ignored when delivered in a report-only policy." in Safari only. In Chromium and Firefox, a report is generated. The following two WPT tests already test for this behavior and it would be great for compatibility if WebKit also would report the violation here. - https://wpt.fyi/results/content-security-policy/frame-ancestors/report-only-frame.sub.html?label=master&label=experimental&aligned&q=frame-ancestors - https://wpt.fyi/results/content-security-policy/reporting/report-frame-ancestors-with-x-frame-options.sub.html?label=master&label=experimental&aligned&q=frame-ancestors
Attachments
Karl Dubost
Comment 1 2024-03-21 20:12:12 PDT
The first test http://wpt.live/content-security-policy/frame-ancestors/report-only-frame.sub.html fails with (No asserts ran) undefined is not an object (evaluating 'data[0]["body"]') only in Safari The second test fails http://wpt.live/content-security-policy/reporting/report-frame-ancestors-with-x-frame-options.sub.html fails with (No asserts ran) Safari: undefined is not an object (evaluating 'data[0]["body"]') Firefox: can't access property "body", data[0] is undefined
Radar WebKit Bug Importer
Comment 2 2024-03-21 20:12:28 PDT
jannis.rautenstrauch
Comment 3 2024-03-22 00:41:12 PDT
The second test failing in Firefox is not due to the feature the test wants to test but due to the fact that a download is triggered in Firefox only: https://github.com/web-platform-tests/wpt/issues/45249
Note You need to log in before you can comment on or make changes to this bug.