CSP frame-ancestors incorrectly ignores the path component
Categories
(Core :: DOM: Security, defect, P4)
Tracking
()
People
(Reporter: jannis, Unassigned)
References
(Depends on 1 open bug, Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-backlog2])
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0
Steps to reproduce:
- Frame a page with a path in the the CSP, e.g.,
CSP: frame-ancestors https://sub.headers.websec.saarland/abc/;
- Observe that it is not blocked: https://sub.headers.websec.saarland/_hp/tests/framing.sub.html?resp_type=parsing&browser_id=1&label=CSP-FA&first_id=6130&last_id=6134&scheme=https&t_resp_id=6132&t_element_relation=iframe_direct&t_resp_origin=https://headers.webappsec.eu
Actual results:
- Path is ignored in Firefox: frames loads and sends a message to the parent page
- Path is not-ignored in Chromium/Safari: frame does not load (even if the path matches the current page, the frame would not load)
Expected results:
If I understand the specifications correctly, the behavior of Chromium and Safari seem to be correct: https://w3c.github.io/webappsec-csp/#directive-frame-ancestors
The input to algorithm 6.7.2.7 is the the top-level origin, the source-list (CSP policy) and the origin of the frame. Then in 6.7.2.8.3.6 the path of the source-list (here /abc/) is matched against the path of the top-level origin (that is always empty as it is an origin and not a URL). So no path should ever match?
Comment 1•2 months ago
|
||
The severity field is not set for this bug.
:freddy, could you have a look please?
For more information, please visit BugBot documentation.
Comment 2•2 months ago
|
||
Would be nice if we fixed it. Adding to team backlog.
Comment 3•1 month ago
|
||
Is that something you would like to take a look at, Tom?
Comment 4•1 month ago
|
||
I think we can either fix this as a part of bug 1899512, which I had started working on for a bit, but it's difficult to say how quickly that can be resolved or we do something more targeted.
Comment 5•25 days ago
|
||
Let's close this in bug 1899512. Given this has only shown up now, I don't see the need for a targeted fix. (Unless we hear of wider site breakage).
Description
•