DescriptionCSP 'self' is not interpreted correctly for iframes,
According to the CSP spec, if 'self' is in the source-list, loaded
resources should be matched to the URL of the resource context. However,
Chrome has defined 'self' in terms of the execution context's security
origin, which works for most cases. Unfortunately, if the frame is in a
sandbox, the security origin is 'unique', which doesn't match to any
other resource origin. The solution is to build the 'self' source from
the execution context's URL, not it's security origin.
R=mkwst@chromium.org
BUG=443444
Patch Set 1 #
Messages
Total messages: 3 (0 generated)
|