Open mykmelez opened 8 years ago
Perhaps we just need to check nsDocShell::GetIsMozBrowserOrApp before deciding whether or not to enforce the frame-ancestor policy, although it returns false in this case, as mFrameType is FRAME_TYPE_REGULAR for the docshell, which seems wrong. So perhaps it's being set incorrectly somewhere.
See my comment, seems like a more general problem than just CSP.
It could also be an issue that nsCSPContext::PermitsAncestry generates ancestorsArray by walking the docshell tree until it reaches a docshell whose document URI scheme is chrome, which won't be the case here, as the URL of the document that contains the mozbrowser will be a file: URL like file:///path/to/positron/test/hello-world/index.html.
I agree checking for the chrome
scheme seems suspicious. I would think this code actually wants to check for typeChrome
on the parent tree item instead. That's how most code paths seem to find the the top of the content tree.
Upstream bug with fix using @jryans suggestions of checking ItemType https://bugzilla.mozilla.org/show_bug.cgi?id=1277102
Per https://github.com/mozilla/positron/pull/60#issuecomment-222393667, loading a URL whose CSP forbids framing (like https://github.com/) into a <webview> fails with an alert dialog that says, "This page has a content security policy that prevents it from being loaded in this way."
The dialog is triggered by nsDocument::InitCSP, presumably because that function thinks it's being loaded in a frame, since there's an mDocumentContainer docshell for the mozbrowser.
https://dxr.mozilla.org/mozilla-central/rev/4d63dde701b47b8661ab7990f197b6b60e543839/dom/base/nsDocument.cpp#2948
Perhaps we just need to check nsDocShell::GetIsMozBrowserOrApp before deciding whether or not to enforce the frame-ancestor policy, although it returns false in this case, as mFrameType is
FRAME_TYPE_REGULAR
for the docshell, which seems wrong. So perhaps it's being set incorrectly somewhere.It could also be an issue that nsCSPContext::PermitsAncestry generates ancestorsArray by walking the docshell tree until it reaches a docshell whose document URI scheme is
chrome
, which won't be the case here, as the URL of the document that contains the mozbrowser will be a file: URL like file:///path/to/positron/test/hello-world/index.html.