Open Bug 1653678 Opened 4 years ago Updated 1 year ago

Content Security Policy directive "sandbox" does not support value "allow-downloads"

Categories

(Core :: DOM: Security, enhancement, P3)

78 Branch
enhancement

Tracking

()

UNCONFIRMED

People

(Reporter: candrews, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog1])

User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0

Steps to reproduce:

  1. Visit https://www.integralblue.com/allow-downloads/index.html
  2. Click the "Download" link

Actual results:

File download dialog appears

Expected results:

The download should be denied.

I'm not sure if the UA should navigate to https://www.integralblue.com/logo.png or simply do nothing.

https://www.integralblue.com/allow-downloads/index.html includes an Content Security Policy header with "sandbox allow-frames"
Since the "sandbox" directive doesn't include the "allow-downloads" directive-value, downloads should be denied.

See https://w3c.github.io/webappsec-csp/#directive-sandbox where it says:

The sandbox directive specifies an HTML sandbox policy which the user agent will apply to a resource, just as though it had been included in an iframe with a sandbox property.

For Firefox's support for the iframe sandbox property including a value of "allow-downloads" see bug 1558394

Also, https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox currently does not document "allow-downloads" - it should.

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Component: Untriaged → DOM: Security
Product: Firefox → Core
Blocks: csp-w3c-3
Severity: -- → S4
Priority: -- → P3
See Also: → 1558394
Whiteboard: [domsecurity-backlog1]

This seems to have been fixed bug 1768537.

You need to log in before you can comment on or make changes to this bug.