If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Content Security Policy: Firefox allows setting <base> for sandboxed iframes ignoring the base-uri directive of the parent page

RESOLVED INVALID

Status

()

Firefox
Untriaged
RESOLVED INVALID
6 months ago
6 months ago

People

(Reporter: Michele Spagnuolo, Unassigned)

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

6 months ago
Created attachment 8847066 [details]
PoC

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.98 Safari/537.36

Steps to reproduce:

See PoC.


Actual results:

Firefox allows setting <base> for sandboxed iframes ignoring the base-uri directive of the parent page. If the iframe does not have the sandbox attribute, the base tag is correctly blocked.


Expected results:

The base tag should have been blocked respecting the parent document's CSP.
(Reporter)

Updated

6 months ago
Status: UNCONFIRMED → RESOLVED
Last Resolved: 6 months ago
Resolution: --- → INVALID
(Reporter)

Comment 1

6 months ago
Firefox simply does not propagate CSP to sandboxed iframes because they are in null origin.
You need to log in before you can comment on or make changes to this bug.