272680 – CSP *.origin does not work correctly in sandboxed frames

NEW 272680

CSP *.origin does not work correctly in sandboxed frames

https://bugs.webkit.org/show_bug.cgi?id=272680

Summary CSP *.origin does not work correctly in sandboxed frames

jannis.rautenstrauch

Reported 2024-04-15 07:49:36 PDT

In sandboxed iframes a CSP of `*.origin` does not match `sub.origin` even though it should?. - The following URL frames a sandboxed IFrame with CSP `script-src *.headers.websec.saarland`: http://sub.headers.websec.saarland/_hp/tests/script-execution-csp.sub.html?resp_type=basic&browser_id=1&label=CSP-SCRIPT&first_id=98&last_id=98&scheme=http&t_resp_id=98&t_element_relation=execution_sandbox&t_resp_origin=http://headers.webappsec.eu - The frame tries to load a script from `sub.headers.websec.saarland` - Loading is blocked by the CSP: no message is received - In Firefox and Chromium the script loads, a message is received Probably related: https://bugs.webkit.org/show_bug.cgi?id=272674

Attachments
Add attachment proposed patch, testcase, etc.

John Wilander

Comment 1 2024-04-15 11:01:26 PDT

I'll import this manually because the importer is taking too much time.

John Wilander

Comment 2 2024-04-15 11:04:13 PDT

Note You need to log in before you can comment on or make changes to this bug.

Status NEW

Resolution

Priority P2

Severity Normal

Classification Unclassified

Version Safari 17

Hardware Unspecified

OS Unspecified

Product WebKit

Component Frames

Assignee

Matthew Finkel

Reported

2024-04-15 07:49 PDT

Modified

2024-04-15 22:35 PDT History

CC List

4 users Show

URL

Keywords BrowserCompat, InRadar

Depends on

Blocks