Open Bug 1608569 Opened 6 years ago Updated 3 years ago

Investigate Feature policy inherit from iframe to document if there's no src or about:blank

Categories

(Core :: DOM: Security, task, P3)

Product:
Core
Component:
DOM: Security
Type:
task

Tracking

()

People

(Reporter: tnguyen, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog])

Attachments

(1 file)

Feature Policy inheritance test.html
798 bytes, text/html
Details

Given the case iframe without src
<html>
<body>
<iframe></iframe>
</body>
</html>

There's a question that what we should block request in iframe by default (if the document has eSelf feature policy) or allow.
I could see there's some wpt test block it
https://searchfox.org/mozilla-central/rev/d4d6f81e0ab479cde192453bae83d5e3edfb39d6/testing/web-platform/tests/fullscreen/api/document-fullscreen-enabled.html#2
If yes, we should change the inheritance policy (at the moment we inherit only when start loading a document)

Whiteboard: [domsecurity-backlog]

The priority flag is not set for this bug.
:ckerschb, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(ckerschb)
Blocks: permissions-policy
Flags: needinfo?(ckerschb)
Priority: -- → P3
Type: defect → task

I think I've observed an inconsistency, iframes with src="" inherit the Feature Policy of the parent document, but iframes with src="about:blank" don't. I'm attaching the file "Feature Policy inheritance test.html" with instructions to reproduce this observation.

My hypothesis is that Firefox is considering that entering an iframe with src="" is not a change of domain, but entering an iframe with src="about:blank" is, which seems inconsistent to me.

Blocking requests from iframes with src="about:blank" is problematic in my use case, and neither Chrome, Edge or Opera do it, which together leads me to think this is a defect.

Regarding my use case, I work with a third-party web application that creates iframes with src="about:blank" and generates content inside them programmatically, so the content of the iframes is trusted, but I cannot access features regulated by the Feature Policy in Firefox.

Thank you for your time, I hope my reasoning is clear and that writing this comment is appropriate in this context. Please notify me in case I should, for example, open a separate bug.

I can confirm that bug, iframes with src="about:blank" don't have the good Feature Policy. This is blocking me to display an element full screen, for example. Firefox is the only browser with that bug, all the other ones work fine. Test with both ESR and Firefox dev edition.

Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: