Content Security Policy directive "sandbox" does not support value "allow-downloads"
Categories
(Core :: DOM: Security, enhancement, P3)
Tracking
()
People
(Reporter: candrews, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-backlog1])
User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Steps to reproduce:
- Visit https://www.integralblue.com/allow-downloads/index.html
- Click the "Download" link
Actual results:
File download dialog appears
Expected results:
The download should be denied.
I'm not sure if the UA should navigate to https://www.integralblue.com/logo.png or simply do nothing.
https://www.integralblue.com/allow-downloads/index.html includes an Content Security Policy header with "sandbox allow-frames"
Since the "sandbox" directive doesn't include the "allow-downloads" directive-value, downloads should be denied.
See https://w3c.github.io/webappsec-csp/#directive-sandbox where it says:
The sandbox directive specifies an HTML sandbox policy which the user agent will apply to a resource, just as though it had been included in an iframe with a sandbox property.
For Firefox's support for the iframe sandbox property including a value of "allow-downloads" see bug 1558394
Also, https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox currently does not document "allow-downloads" - it should.
Comment 2•4 years ago
|
||
Bugbug thinks this bug should belong to this component, but please revert this change in case of error.
Updated•4 years ago
|
Comment 3•1 year ago
|
||
This seems to have been fixed bug 1768537.
Description
•