1745648 - (Cross-origin) (post-redirect) URL leakage via CSP violation of frame-ancestors directive

Status: RESOLVED DUPLICATE of bug 1735856

(Core :: DOM: Security, defect)

Description

[Rob Wu [:robwu]]

When a website specifies a CSP with a frame-ancestors directive, a policy violation (i.e. loading in a parent page) triggers the securitypolicyviolation event in the (potentially cross-origin) parent page, AND the full (post-redirect) URL of the frame'd content is leaked via event.documentURI.

STR:

1. Visit example.com
2. Open the console and run the following snippet:

f = document.createElement("iframe");
f.src = "https://httpbingo.org/redirect-to?url=" +
  encodeURIComponent("https://httpbingo.org/response-headers?content-security-policy=frame-ancestors")
document.addEventListener("securitypolicyviolation", console.warn);
document.body.append(f);

3. Look at the console. If there is any logged event, inspect the blockedURI and documentURI fields.

Expected:

• There should not be a reported CSP violation (like Chrome).

Actual:

• The CSP violation is reported, with blockedURI = "" and documentURI set to the full redirection target of the frame.

It looks like this CSP violation reporting was designed for use with report-uri. In that case, the CSP is defined by the frame, and a failure to load the frame should result in a CSP violation report delivered to the report-uri endpoint (defined by the CSP), where the values of ancestor URLs are redacted to avoid information leakage.

However, in this case, the CSP from the framed page inadvertently triggers the securitypolicyviolation event in the parent (cross-origin) page. In that case, blockedURI would have been safe to expose, but documentURI should not have been the full URI of the page.