Closed Bug 1386183 Opened 2 years ago Closed 2 years ago
Meta CSP on data: URI iframe should be merged with toplevel CSP
No description provided.
Once we flip the pref so that data: URIs have their one unique origin, I am not sure if we treat that scenarios correctly. To be precise, imagine a toplevel page with a CSP which includes a data: URI iframe which includes a <meta csp>. In that case both CSPs (the toplevel as well as the meta csp) should apply to the iframe. If it works correctly, then we need an automated test at least for that bug.
I took a closer look, this works as expected. Please note that it shouldn't make any difference whether we treat data: URIs as unique opaque origins or not for that bug. In both worlds the data: URI iframe should enforce both CSPs in that case.
Attachment #8892397 - Flags: review?(dveditz)
Attachment #8892397 - Flags: review?(dveditz) → review+
Pushed by email@example.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/2fe2cb5e4577 Test Meta CSP on data: URI iframe to be merged with CSP from including context. r=dveditz
You need to log in before you can comment on or make changes to this bug.