Closed Bug 1386183 Opened 2 years ago Closed 2 years ago

Meta CSP on data: URI iframe should be merged with toplevel CSP

Categories

(Core :: DOM: Security, defect, P2)

defect

Tracking

()

RESOLVED FIXED
mozilla57
Tracking Status
firefox57 --- fixed

People

(Reporter: ckerschb, Assigned: ckerschb)

References

Details

(Whiteboard: [domsecurity-active])

Attachments

(1 file)

No description provided.
Assignee: nobody → ckerschb
Blocks: 1324406
Status: NEW → ASSIGNED
Depends on: 1381761
Priority: -- → P2
Whiteboard: [domsecurity-active]
Once we flip the pref so that data: URIs have their one unique origin, I am not sure if we treat that scenarios correctly. To be precise, imagine a toplevel page with a CSP which includes a data: URI iframe which includes a <meta csp>. In that case both CSPs (the toplevel as well as the meta csp) should apply to the iframe. If it works correctly, then we need an automated test at least for that bug.
I took a closer look, this works as expected. Please note that it shouldn't make any difference whether we treat data: URIs as unique opaque origins or not for that bug. In both worlds the data: URI iframe should enforce both CSPs in that case.
Attachment #8892397 - Flags: review?(dveditz)
Attachment #8892397 - Flags: review?(dveditz) → review+
Pushed by mozilla@christophkerschbaumer.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/2fe2cb5e4577
Test Meta CSP on data: URI iframe to be merged with CSP from including context. r=dveditz
https://hg.mozilla.org/mozilla-central/rev/2fe2cb5e4577
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla57
You need to log in before you can comment on or make changes to this bug.