CSP blocks custom scheme frames whitelisted with frame-src

RESOLVED DUPLICATE of bug 1075230

Status

()

Firefox
Untriaged
RESOLVED DUPLICATE of bug 1075230
4 years ago
4 years ago

People

(Reporter: Peksa, Unassigned)

Tracking

33 Branch
x86_64
Windows 7
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

4 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.104 Safari/537.36

Steps to reproduce:

Have a page with the following CSP-policy: Content-Security-Policy: frame-src bankid://*
and an iframe as follows:
<iframe src="bankid://foobar"></iframe>

If I'm reading the spec correctly, this should be an allowed host-source.

A testcase exists here:
https://peks.as/experiments/ffcsp1/

A workaround is to use frame-src bankid: instead, which works as expected.



Actual results:

The iframe is blocked by the CSP implementation and an error message is logged in the developer console:

Content Security Policy: The page's settings blocked the loading of a resource at bankid://foobar ("frame-src bankid://*").


Expected results:

No error in the console, the iframe shouldn't be blocked, and in this case an app associated with the custom scheme should have launched.

This works as expected in Chrome 38.0.2125.104 m on Windows and in Mobile Safari  on iOS 8.0.2.
(Reporter)

Comment 1

4 years ago
Looks like this is a duplicate of https://bugzilla.mozilla.org/show_bug.cgi?id=1075230

Cannot reproduce it in nightly 36.0a1 (2014-10-23) so this seems fixed.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1075230
You need to log in before you can comment on or make changes to this bug.