Closed Bug 1194734 Opened 9 years ago Closed 8 years ago

[CSP] The anchor download attribute violates frame-src directive when data uri is used

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Version:
40 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: rbhitchcock, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog])

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:40.0) Gecko/20100101 Firefox/40.0 Build ID: 20150812163655 Steps to reproduce: I manage an intranet web application that tracks projects within my organization. We created another application to host some metric-generation JavaScript libraries (e.g. d3) for the data within the primary application. The goal is to sandbox the metric site within the primary application. The primary application includes "frame-src: https://mymetricssite.com" as part of its CSP header. The metric site is embedded like so: <iframe src='https://mymetricssiteabcdef.com' sandbox='allow-script allow-same-origin'></iframe> We use postMessage to communicate back and forth. The metrics application builds a chart, and has a button to click for downloading the generated chart. Some JS converts the chart from SVG to PNG, and then creates an anchor tag (within the sandboxed iframe) such as the following: <a href="data:image/png;base64,<BASE64ENCODEDIMAGEDATA>" target="_self" download="cwe-image.png">CLICKY CLICKY</a> Actual results: Upon clicking the anchor tag, the console reports the following error: 10:54:41.451 Content Security Policy: The page's settings blocked the loading of a resource at data:image/png;base64,<MYBASE64ENCODEDIMAGEDATA ("frame-src https://mymetricssiteabcdef.com").1 <unknown> Expected results: I would expect that the user would be prompted to download the file. I don't understand why a frame is attempted to be created in the parent window. I have tried reading through the W3C specs regarding CSP, iframe sandboxing, and the anchor tag, but nothing jumps out to me as to why this behavior is happening. In the latest version of Chrome, I am prompted to download the image.
Component: Untriaged → Security
What CSP headers, if any, are sent for 'https://mymetricssiteabcdef.com'?
Flags: needinfo?(rbhitchcock)
Component: Security → DOM: Security
Whiteboard: [domsecurity-backlog]
Closing this bug due to the lack of response.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Flags: needinfo?(rbhitchcock)
Resolution: --- → INCOMPLETE
Note that for a while Chrome incorrectly implemented CSP for data: URLs. So most likely the CSP being sent did not allow data: URLs and Chrome was just buggy when the reporter tested...
You need to log in before you can comment on or make changes to this bug.