Open Bug 1552504 Opened 6 years ago Updated 1 year ago

iframes blocked by CSP don't fire an onload event

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Type:
defect

Tracking

()

People

(Reporter: jgraham, Unassigned)

References

(Depends on 1 open bug, Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog1])

There are several tests under testing/web-platform/tests/content-security-policy/frame-ancestors timing out because they are injecting an iframe and waiting on getting either a load event or an error event. When the iframe load is blocked by CSP we send neither event and the tests stall. In other browsers the tests are able to run to completion (but seem to have other problems that prevent them from passing) [1].

[1] https://wpt.fyi/results/content-security-policy/frame-ancestors?label=master&product=chrome%5Bexperimental%5D&product=edge&product=firefox%5Bexperimental%5D&product=safari%5Bexperimental%5D&aligned

Once we have fixed Bug 965637, we should re-evulate what we can do here - putting in the backlog for now.

Depends on: 965637
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]

The prerequisite was fixed here, and we still have many tests timing out due to this bug, plus obviously doing something different to Chrome seems like a web-compat risk (of course sites shouldn't rely on resources being blocked, but the web is pretty strange). Can we reevaluate the priority here?

Removing keywords so this shows up in the weekly triage meeting again in order to re-evaluate the priority request.

Priority: P3 → --
Whiteboard: [domsecurity-backlog1]

Anne: one of the specs ought to say what should happen here, right? Maybe the CSP spec, or maybe fetch or HTML? Chrome is issuing one of these because the tests were written to expect it. Should we just copy Chrome, or think about which response is better? We should probably do whatever we do for a 404 so we're not leaking extra information (but Chrome-compat is also good).

Flags: needinfo?(annevk)
See Also: → 1418975
See Also: → 1599256

See bug 1599256 comment 11. I think we should copy Chrome. (Ideally this would be like a network error, not like a 404 (which is a success for frames), but compatibility wins.)

Flags: needinfo?(annevk)

Changing the summary to "onload" per what chrome does and discussions in the WHATWG issue referenced in bug 1599256.

Priority: -- → P3
Summary: iframes blocked by CSP don't fire an error event → iframes blocked by CSP don't fire an onload event
Whiteboard: [domsecurity-backlog1]

Note that the fix though should be firing a load event for all network errors, not just CSP-induced network errors.

Blocks: 1614674
See Also: → 1653014
Depends on: 1663633
Severity: normal → S3
Blocks: 1867628
See Also: 1653014
No longer blocks: 1867628
You need to log in before you can comment on or make changes to this bug.