Closed Bug 1086579 Opened 10 years ago Closed 10 years ago

CSP blocks custom scheme frames whitelisted with frame-src

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
33 Branch
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1075230

People

(Reporter: bugzilla, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.104 Safari/537.36

Steps to reproduce:

Have a page with the following CSP-policy: Content-Security-Policy: frame-src bankid://*
and an iframe as follows:
<iframe src="bankid://foobar"></iframe>

If I'm reading the spec correctly, this should be an allowed host-source.

A testcase exists here:
https://peks.as/experiments/ffcsp1/

A workaround is to use frame-src bankid: instead, which works as expected.



Actual results:

The iframe is blocked by the CSP implementation and an error message is logged in the developer console:

Content Security Policy: The page's settings blocked the loading of a resource at bankid://foobar ("frame-src bankid://*").


Expected results:

No error in the console, the iframe shouldn't be blocked, and in this case an app associated with the custom scheme should have launched.

This works as expected in Chrome 38.0.2125.104 m on Windows and in Mobile Safari  on iOS 8.0.2.
Looks like this is a duplicate of https://bugzilla.mozilla.org/show_bug.cgi?id=1075230

Cannot reproduce it in nightly 36.0a1 (2014-10-23) so this seems fixed.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.