Open Bug 1033675 Opened 10 years ago Updated 2 years ago

[CSP] unify behavior of frame-ancestors with CSP spec when documents with unusual schemes like about: and blob:

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Type:
defect

Tracking

()

People

(Reporter: geekboy, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: dev-doc-needed, Whiteboard: [CSP 1.1] [domsecurity-backlog1]) 

In bug 1031658 bz points out that it's not clear in the CSP spec what to do when a protected document has frame ancestors that are about:srcdoc, about:blank, data:, blob: URIs (etc).

We need to (1) clarify in the CSP spec[0] what to do in these cases, probably for the editor's draft[1] and (2) make sure or fix our implementation to do that.

Currently in gecko, about: and blob: are considered a scheme for the frame-ancestors check, and a CSP that doesn't permit those schemes explicitly will not allow those as ancestors.  But that may not completely make sense since those documents may have inherited an origin from a parent that has an http scheme (for example).  Spec needs clarity, and we need to verify that gecko does what the spec says.

[0]http://www.w3.org/TR/CSP/
[1]https://w3c.github.io/webappsec/specs/content-security-policy/
Please link to the spec issue that was raised?
So this is related, but tangental (more about whether srcdoc/blob/etc inherit CSP from their creators): http://www.w3.org/2011/webappsec/track/issues/15

I'm not in tune with the WG's customs so I'll figure out the appropriate method to open an issue for the frame-ancestors case and post a link here as soon as I can.
Flags: needinfo?(sstamm)
Editors draft says (about source matching in general):
> "If the source expression a consists of a single U+002A ASTERISK 
> character (*), and the URI’s scheme is not of a type designating 
> a globally unique identifier, (such as blob:, data:, or filesystem:) 
> then return does match."
[ https://w3c.github.io/webappsec/specs/content-security-policy/#match-source-expression ]

And in addition:
> "As defined above, special URI schemes that refer to specific pieces 
> of unique content, such as "data:", "blob:" and "filesystem:" are 
> excluded from matching a policy of * and must be explicitly listed. 
> Policy authors should note that the content of such URIs is often derived 
> from a response body or execution in a Document context, which may be 
> unsafe. Especially for the default-src and script-src directives, policy 
> authors should be aware that allowing "data:" URIs is equivalent to 
> unsafe-inline and allowing "blob:" or "filesystem:" URIs is equivalent to
> unsafe-eval."
[ https://w3c.github.io/webappsec/specs/content-security-policy/#source-list-guid-matching ]

This suggests special treatment for those (but not by looking up their origin for source matching, they must actually be declared as valid sources by name [e.g., "data:"] in the CSP).

That doesn't clear up the srcdoc case, which is being discussed on public-webappsec.
[ http://lists.w3.org/Archives/Public/public-webappsec/2014Jul/0018.html ]

I'll update again when an issue gets filed and the wg makes progress on this topic.
Garrett: you had volunteered to bring this up in the WG... when an issue for this is raised (and/or when the group decides what to do) would you please post relevant links in this bug?
Flags: needinfo?(grobinson)
Assignee: nobody → grobinson
Blocks: csp-w3c-2
Severity: minor → normal
Flags: needinfo?(sstamm)
Priority: -- → P1
Whiteboard: [CSP 1.1]
Assignee: garrett.f.robinson+mozilla → mozilla
dveditz is going to bring this up again with the wg.  Based on the latest draft of CSP2, blob: should be treated like data: (as we currently treat data:) and srcdoc is still unclear.
Flags: needinfo?(garrett.f.robinson+mozilla)
Flags: needinfo?(dveditz)
May need to mention any behavior changes in Fx for developers when this is fixed.
Keywords: dev-doc-needed
I opened an issue on the spec to change the language to document origin rather than URL:
https://github.com/w3c/webappsec/issues/311

feedback so far: 
* Mike thinks URLs are a feature so that sandboxed iframes work
* Brad thinks we should definitely use Origin on principle, and _especially_ if it makes sandboxed iframes NOT work (sandboxing is a sign the origin site isn't trusting its own content).

CSP is next scheduled to come up at the WASWG teleconference on June 15, I'll make sure this is on the agenda for a decision. In the meantime I think we should just go with Origin; URL makes no sense.
Flags: needinfo?(dveditz)
Kate, as discussed can you please follow up with the working group so we can get that fixed?
Assignee: mozilla → kmckinley
Flags: needinfo?(kmckinley)
Status: NEW → ASSIGNED
Commented on https://github.com/w3c/webappsec/issues/311
Flags: needinfo?(kmckinley)
Whiteboard: [CSP 1.1] → [CSP 1.1] [domsecurity-active]
This bug is not critical and will most likely not be fixed within this cycle, hence reclassifying.
Priority: P1 → P3
Whiteboard: [CSP 1.1] [domsecurity-active] → [CSP 1.1] [domsecurity-backlog1]
Removing backlog so this bug shows up in our next triage meeting. Given the latest discussions around x-frame-options and frame-ancestors (e.g. Bug 1024557) it might make sense to restructure (rearchitecture) all of our frame-ancestors code and make our implementation match the spec.
Whiteboard: [CSP 1.1] [domsecurity-backlog1] → [CSP 1.1]
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #11)
> Removing backlog so this bug shows up in our next triage meeting. Given the
> latest discussions around x-frame-options and frame-ancestors (e.g. Bug
> 1024557) it might make sense to restructure (rearchitecture) all of our
> frame-ancestors code and make our implementation match the spec.

So, this one can actually stay in the backlog.
Whiteboard: [CSP 1.1] → [CSP 1.1] [domsecurity-backlog1]
Assignee: kate+bugzilla → nobody
Status: ASSIGNED → NEW
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.