Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(201)

Issue 822483002: CSP 'self' is not interpreted correctly for iframes,

Created:
6 years ago by jww
Modified:
5 years, 11 months ago
Reviewers:
Mike West
CC:
blink-reviews, mkwst+watchlist-csp_chromium.org
Base URL:
https://chromium.googlesource.com/chromium/blink.git@master
Target Ref:
refs/heads/master
Project:
blink
Visibility:
Public.

Description

CSP 'self' is not interpreted correctly for iframes, According to the CSP spec, if 'self' is in the source-list, loaded resources should be matched to the URL of the resource context. However, Chrome has defined 'self' in terms of the execution context's security origin, which works for most cases. Unfortunately, if the frame is in a sandbox, the security origin is 'unique', which doesn't match to any other resource origin. The solution is to build the 'self' source from the execution context's URL, not it's security origin. R=mkwst@chromium.org BUG=443444

Patch Set 1 #

Unified diffs Side-by-side diffs Delta from patch set Stats (+12 lines, -3 lines) Patch
M Source/core/frame/csp/ContentSecurityPolicy.cpp View 1 chunk +12 lines, -3 lines 0 comments Download

Messages

Total messages: 3 (0 generated)
jww
Mike, can you take a look at this? I'm a little scared about this CL. ...
6 years ago (2014-12-20 01:34:42 UTC) #1
Mike West
This isn't quite so straightforward (you need to consider srcdoc frames, for instance). https://codereview.chromium.org/150893004/ is ...
6 years ago (2014-12-21 09:01:48 UTC) #2
jww
5 years, 11 months ago (2014-12-29 21:31:18 UTC) #3
On 2014/12/21 09:01:48, Mike West (OOO until Jan 7th) wrote:
> This isn't quite so straightforward (you need to consider srcdoc frames, for
> instance). https://codereview.chromium.org/150893004/ is an earlier attempt
that
> I think is closer to correct. Reviewing it, Adam suggested that we change the
> spec instead to require explicit whitelisting of resources inside a sandbox
> rather than relying on location-based behavior.
Good point.
> 
> I'm inclined to agree with that; it's worth starting a webappsec thread in any
> event (which I intended to do, but apparently didn't). Would you be interested
> in kicking off that conversation in the new year?
Yup, I'll shoot out an email. I agree that it doesn't make sense to land any
solution until we have agreement on what to do.
> 
> It would also be interesting to see what Firefox and IE do here. If they've
> already made it work, that'd be an argument for aligning with them rather than
> changing the spec.
I haven't tested it myself, but the original bug filer claims that their demo
passes on Firefox and IE and only fails on Chrome.

Powered by Google App Engine
This is Rietveld 408576698