Closed Bug 1756307 Opened 4 years ago Closed 2 years ago

CSP 'self' not applying to doubly-nested iframe src='data:'

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Version:
Firefox 99
Type:
defect

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: su3604, Unassigned)

Details

(Whiteboard: [domsecurity-backlog3])

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36

Steps to reproduce:

  1. Access the following page
<!DOCTYPE html>
<head>

    <meta http-equiv="Content-Security-Policy" content="script-src 'self';">
</head>
<body>
    <iframe src="data:text/html,<iframe src='data:text/html,<script src=http://[self_url]/self.js nonce=123></script>'></iframe>"></iframe>
</body>

Actual results:

The inner iframe did not load the script, and the following error appears in the JavaScript console:

Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).

Expected results:

The script should have been loaded.

Note that loading a script in the outer iframe src works just fine, it's only the inner iframe src inside the outer iframe src that has problems.

I also note that this page works as expected in Chrome and Edge.

Group: firefox-core-security → core-security
Component: Untriaged → DOM: Security
Product: Firefox → Core
Group: core-security → dom-core-security

This sounds wrong, as you say, but it's wrong in a "safe" way of blocking too much (and breaking sites in development) and not 'failing open". I think we can best handle this as a non-security bug where more engineers will be able to participate.

Group: dom-core-security
Summary: CSP 'self' not applying to nested iframe src='data:' → CSP 'self' not applying to doubly-nested iframe src='data:'

So the CSP is being inherited through, but not the concept of self. I wonder if relative URLs are also wrong and we're just being entirely confused about the context of the double-nesting? I'm guessing that since you appear to have explicitly had to set [self] in the script URL instead of a relative URL that CSP is not the source of the problem here.

Do relative URLs work in Chrome?

Flags: needinfo?(su3604)

My comment 2 is wrong. If I change the CSP to explicitly set script-src example.com; that didn't help

Are there cases where we block too LITTLE -- that would be a potential CSP bypass and more serious (maybe a security bug)?

Severity: -- → S3
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P3
Whiteboard: [domsecurity-backlog3]

A needinfo is requested from the reporter, however, the reporter is inactive on Bugzilla. Closing the bug as incomplete.

For more information, please visit BugBot documentation.

Status: NEW → RESOLVED
Closed: 2 years ago
Flags: needinfo?(su3604)
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.