Open Bug 1886794 Opened 2 years ago Updated 2 years ago

CSP frame-ancestor violation console message doesn't show URL for cross-origin iframes

Categories

(Core :: DOM: Security, defect)

Firefox 123
defect

Tracking

()

People

(Reporter: jannis, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog])

Steps to reproduce:

  • Open devtools
  • Visit a website that embeds a cross-origin iframe with Content-Security-Policy: frame-ancestors 'none'; report-uri <report-uri>
  • Website is blocked but no message is shown in the console.
  • Visit a website that embeds a same-origin iframe with Content-Security-Policy: frame-ancestors 'none'; report-uri <report-uri>
  • Website is blocked and message is shown in the console

Cross-Origin Example: https://echo.tecsec.rocks/echo/?ecocnt_css=%3Ciframe%20src=%22https://echo.sectec.rocks/echo/?Content-Security-Policy=report-uri%20https://enp8qbj7azvfs.x.pipedream.net;%20frame-ancestors%20%27none%27%22%3E%3C/iframe%3E
Same-Origin Example: https://echo.sectec.rocks/echo/?ecocnt_css=%3Ciframe%20src=%22https://echo.sectec.rocks/echo/?Content-Security-Policy=report-uri%20https://enp8qbj7azvfs.x.pipedream.net;%20frame-ancestors%20%27none%27%22%3E%3C/iframe%3E

Actual results:

No message is shown for the cross-origin example.
For the same-origin example: "Content-Security-Policy: The page’s settings blocked the loading of a resource at <url> (“frame-ancestors”)." is shown.

Expected results:

Both examples should show an error message in the console tab.
In Chromium and Safari error messages are shown for both cross-origin and same-origin frame-ancestor violators.

Hello jannis, thanks for the report.
We can reproduce on Firefox release, but it looks like it's been fixed on Firefox beta (125).
Could you check on beta to see if that fixes your issue?

Tom, would you know where this was fixed?

Type: enhancement → defect
Flags: needinfo?(evilpies)

We show the following message since bug 1848315:

Content-Security-Policy: The page’s settings blocked the loading of a resource (frame-ancestors) at <unknown> because it violates the following directive: “frame-ancestors 'none'”

Previously we would not output anything, because the URL was empty, caused by the censoring of cross-origin URLs for frame-ancestors. However we obviously don't really need to do this for console messages, only for reports. So there is still a smaller issues here, <unknown> should be be the actual URL.

Component: Console → DOM: Security
Depends on: 1848315
Product: DevTools → Core
Flags: needinfo?(evilpies)

I tested it on Nightly (126.0a1) and could see the new error message "Content-Security-Policy: The page’s settings blocked the loading of a resource (frame-ancestors) at <unknown> because it violates the following directive: “frame-ancestors 'none'”".

I would suggest to rename the message. Currently, "the page's settings" sounds like it would refer to the top-level page. Instead it actually refers to the settings of the framed resource that set "frame-ancestors 'none'".
Maybe something like:

The loading of <URL> in a frame is denied by the “Content-Security-Policy frame-ancestors“ directive set to “none“.
Which would align with what is shown for XFO violations:
The loading of “https://echo.sectec.rocks/echo/?x-frame-options=deny” in a frame is denied by “X-Frame-Options“ directive set to “deny“.

Updated summary to reflect partial fix by bug 1848315 (fixed in Firefox 125)

Severity: -- → S4
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: CSP frame-ancestor violation message not shown for cross-origin iframes → CSP frame-ancestor violation console message doesn't show URL for cross-origin iframes
Whiteboard: [domsecurity-backlog]

It's worth fixing the missing URL part.

Probably not worth special-casing the console message. It's awkward, but developers will figure it out since the directive is given

You need to log in before you can comment on or make changes to this bug.