Closed Bug 1891466 Opened 3 months ago Closed 25 days ago

CSP frame-ancestors incorrectly ignores the path component

Tracking

()

Status:

RESOLVED DUPLICATE of bug 1899512

People

(Reporter: jannis, Unassigned)

References

(Depends on 1 open bug, Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog2])

jannis

Reporter

Description

•

3 months ago

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0

Steps to reproduce:

Frame a page with a path in the the CSP, e.g., CSP: frame-ancestors https://sub.headers.websec.saarland/abc/;
Observe that it is not blocked: https://sub.headers.websec.saarland/_hp/tests/framing.sub.html?resp_type=parsing&browser_id=1&label=CSP-FA&first_id=6130&last_id=6134&scheme=https&t_resp_id=6132&t_element_relation=iframe_direct&t_resp_origin=https://headers.webappsec.eu

Actual results:

Path is ignored in Firefox: frames loads and sends a message to the parent page
Path is not-ignored in Chromium/Safari: frame does not load (even if the path matches the current page, the frame would not load)

Expected results:

If I understand the specifications correctly, the behavior of Chromium and Safari seem to be correct: https://w3c.github.io/webappsec-csp/#directive-frame-ancestors

The input to algorithm 6.7.2.7 is the the top-level origin, the source-list (CSP policy) and the origin of the frame. Then in 6.7.2.8.3.6 the path of the source-list (here /abc/) is matched against the path of the top-level origin (that is always empty as it is an origin and not a URL). So no path should ever match?

Tom Schuster (MoCo)

Updated

•

2 months ago

Blocks: CSP

BugBot [:suhaib / :marco/ :calixte]

Comment 1

•

2 months ago

The severity field is not set for this bug.
:freddy, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(fbraun)

Frederik Braun [:freddy]

Comment 2

•

2 months ago

Would be nice if we fixed it. Adding to team backlog.

Priority: -- → P4

Whiteboard: [domsecurity-backlog2]

Frederik Braun [:freddy]

Comment 3

•

1 month ago

Is that something you would like to take a look at, Tom?

Flags: needinfo?(fbraun) → needinfo?(tschuster)

Tom Schuster (MoCo)

Updated

•

1 month ago

Depends on: 1899512

Tom Schuster (MoCo)

Comment 4

•

1 month ago

I think we can either fix this as a part of bug 1899512, which I had started working on for a bit, but it's difficult to say how quickly that can be resolved or we do something more targeted.

Flags: needinfo?(tschuster)

Frederik Braun [:freddy]

Comment 5

•

25 days ago

Let's close this in bug 1899512. Given this has only shown up now, I don't see the need for a targeted fix. (Unless we hear of wider site breakage).

Status: UNCONFIRMED → RESOLVED

Closed: 25 days ago

Duplicate of bug: 1899512

Resolution: --- → DUPLICATE

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

CSP frame-ancestors incorrectly ignores the path component

Categories

(Core :: DOM: Security, defect, P4)

Tracking

()

People

(Reporter: jannis, Unassigned)

References

(Depends on 1 open bug, Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog2])

Crash Data

Security

(public)

User Story

Description

Updated

Comment 1

Comment 2

Comment 3

Updated

Comment 4

Comment 5