Closed
Bug 1545424
Opened 6 years ago
Closed 6 years ago
CSP without 'unsafe-eval' breaks iframe contentWindow
Categories
(Core :: DOM: Security, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: sysojewosinskidominik, Unassigned)
Details
Attachments
(1 file)
|
24.19 KB,
image/png
|
Details |
Capture.PNG
To reproduce
- Load website which has iframe and submits CSP script-src header without 'unsafe-eval'. (example of such website given underneath)
- Using Developer Console, send message to the IFrame using:
document.getElementById("frame").contentWindow.postMessage("test", "*")
Expected Output:
- No Error
Actual Output in Firefox 66.0.3:
- Content Security Policy: The page's settings blocked the loading of a resource at eval ("script-src"). <full image as attachement>
Actual output in Google Chrome 73.0.3683.103:
- No Error
index.php:
<?php
header("Content-Security-Policy: script-src 'self' 'report-sample'");
?>
<html>
<head>
</head>
<body>
<iframe id="frame" src="frame.php"></iframe>
</body>
</html>
frame.php:
<?php
header("Content-Security-Policy: script-src 'self' 'report-sample'");
?>
|
||
Comment 1•6 years ago
|
||
Dominik, thanks for reporting the bug. Do you either:
- have a live testcase which you could link to, or
- provide a testcase for us (e.g. using the meta tag to apply a csp)
so we can reproduce the problem on our end?
At the moment the problem report is too generic to make it actionable on our end!
Flags: needinfo?(sysojewosinskidominik)
I was trying to produce testcase for you, during which I have figured out that this bug is caused by one of the add-ons and was preventing the message from being sent. I resolve as invalid
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Flags: needinfo?(sysojewosinskidominik)
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•