CSP 'self' not applying to nested srcdoc iframes
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
People
(Reporter: mozilla-ri, Unassigned)
References
(Depends on 1 open bug, Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-backlog1])
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0
Steps to reproduce:
- Create a srcdoc iframe with another srcdoc iframe inside.
Serve the top-level HTML with the Content-Security-Policy header set to script-src 'self';.
HTML:
<html>
<head>
<meta http-equiv="Content-Security-Policy" content="script-src 'self';">
</head>
<body>
Top frame.<br>
<iframe srcdoc="
Outer frame.<br>
<iframe srcdoc="
Inner frame. <span id='loading'>Loading script...</span><br>
<script src='static/js/script.js'></script>
"></iframe>"></iframe>
</body>
</html>
script.js:
document.addEventListener('DOMContentLoaded', () => {
document.getElementById('loading').innerHTML = 'Successfully loaded script.';
});
Actual results:
The inner iframe did not load the script, and the following error appears in the JavaScript console:
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).
Expected results:
The script should have been loaded.
Note that loading a script in the outer srcdoc iframe works just fine, it's only the inner srcdoc iframe inside the outer srcdoc iframe that has problems.
|
||
Comment 1•4 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::DOM: Security' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.
|
||
Comment 2•4 years ago
|
||
Thanks for reporting. I can see that being a problem, but having to put that in the backlog for now.
Description
•