CSP frame-ancestor violation console message doesn't show URL for cross-origin iframes
Categories
(Core :: DOM: Security, defect)
Tracking
()
People
(Reporter: jannis, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-backlog])
Steps to reproduce:
- Open devtools
- Visit a website that embeds a cross-origin iframe with
Content-Security-Policy: frame-ancestors 'none'; report-uri <report-uri> - Website is blocked but no message is shown in the console.
- Visit a website that embeds a same-origin iframe with
Content-Security-Policy: frame-ancestors 'none'; report-uri <report-uri> - Website is blocked and message is shown in the console
Cross-Origin Example: https://echo.tecsec.rocks/echo/?ecocnt_css=%3Ciframe%20src=%22https://echo.sectec.rocks/echo/?Content-Security-Policy=report-uri%20https://enp8qbj7azvfs.x.pipedream.net;%20frame-ancestors%20%27none%27%22%3E%3C/iframe%3E
Same-Origin Example: https://echo.sectec.rocks/echo/?ecocnt_css=%3Ciframe%20src=%22https://echo.sectec.rocks/echo/?Content-Security-Policy=report-uri%20https://enp8qbj7azvfs.x.pipedream.net;%20frame-ancestors%20%27none%27%22%3E%3C/iframe%3E
Actual results:
No message is shown for the cross-origin example.
For the same-origin example: "Content-Security-Policy: The page’s settings blocked the loading of a resource at <url> (“frame-ancestors”)." is shown.
Expected results:
Both examples should show an error message in the console tab.
In Chromium and Safari error messages are shown for both cross-origin and same-origin frame-ancestor violators.
Comment 1•2 years ago
|
||
Hello jannis, thanks for the report.
We can reproduce on Firefox release, but it looks like it's been fixed on Firefox beta (125).
Could you check on beta to see if that fixes your issue?
Tom, would you know where this was fixed?
Comment 2•2 years ago
|
||
We show the following message since bug 1848315:
Content-Security-Policy: The page’s settings blocked the loading of a resource (frame-ancestors) at <unknown> because it violates the following directive: “frame-ancestors 'none'”
Previously we would not output anything, because the URL was empty, caused by the censoring of cross-origin URLs for frame-ancestors. However we obviously don't really need to do this for console messages, only for reports. So there is still a smaller issues here, <unknown> should be be the actual URL.
Updated•2 years ago
|
I tested it on Nightly (126.0a1) and could see the new error message "Content-Security-Policy: The page’s settings blocked the loading of a resource (frame-ancestors) at <unknown> because it violates the following directive: “frame-ancestors 'none'”".
I would suggest to rename the message. Currently, "the page's settings" sounds like it would refer to the top-level page. Instead it actually refers to the settings of the framed resource that set "frame-ancestors 'none'".
Maybe something like:
The loading of <URL> in a frame is denied by the “Content-Security-Policy frame-ancestors“ directive set to “none“.
Which would align with what is shown for XFO violations:
The loading of “https://echo.sectec.rocks/echo/?x-frame-options=deny” in a frame is denied by “X-Frame-Options“ directive set to “deny“.
Comment 4•2 years ago
|
||
Updated summary to reflect partial fix by bug 1848315 (fixed in Firefox 125)
Comment 5•2 years ago
|
||
It's worth fixing the missing URL part.
Probably not worth special-casing the console message. It's awkward, but developers will figure it out since the directive is given
Description
•