Open Bug 1721296 Opened 4 years ago Updated 1 month ago

CSP 'self' not applying to nested srcdoc iframes

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Version:
Firefox 89
Type:
defect

Tracking

()

People

(Reporter: mozilla-ri, Unassigned)

References

(Depends on 1 open bug, Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog1])

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0

Steps to reproduce:

  1. Create a srcdoc iframe with another srcdoc iframe inside.

Serve the top-level HTML with the Content-Security-Policy header set to script-src 'self';.

HTML:

<html>
  <head>
    <meta http-equiv="Content-Security-Policy" content="script-src 'self';">
  </head>
  <body>
    Top frame.<br>
    <iframe srcdoc="
      Outer frame.<br>
      <iframe srcdoc=&quot;
        Inner frame. <span id='loading'>Loading script...</span><br>
        <script src='static/js/script.js'></script>
      &quot;></iframe>"></iframe>
  </body>
</html>

script.js:

document.addEventListener('DOMContentLoaded', () => {
  document.getElementById('loading').innerHTML = 'Successfully loaded script.';
});

Actual results:

The inner iframe did not load the script, and the following error appears in the JavaScript console:

Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).

Expected results:

The script should have been loaded.

Note that loading a script in the outer srcdoc iframe works just fine, it's only the inner srcdoc iframe inside the outer srcdoc iframe that has problems.

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Security' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → DOM: Security
Product: Firefox → Core

Thanks for reporting. I can see that being a problem, but having to put that in the backlog for now.

Blocks: csp-w3c-3
Severity: -- → S3
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
See Also: → 1803475
Depends on: 1899512

This seems to be the exact problem why Etherpad doesn't work in Firefox on my university's instance (in this case, etherpad is embedded in moodle and BigBlueButton and in both cases it throws an error and is unusable).
The issue related to that can be found here:

https://github.com/ether/etherpad-lite/issues/4975#issuecomment-882989385

It would be great if this could be fixed :/

I've set up a repo that repoduces the bug and want to try to fix it. Let's see how far i'll come :)
https://github.com/marekkrug/firefox-csp-problem-fixing

You need to log in before you can comment on or make changes to this bug.