Are nonces allowed/supported in frame-src?

w3c / webappsec-csp

WebAppSec Content Security Policy

https://w3c.github.io/webappsec-csp/

Other

207 stars 78 forks source link

Are nonces allowed/supported in frame-src? #433

Open viraptor opened 4 years ago

viraptor commented 4 years ago

I'm running into a weird situation in practice in both FF and Chrome where if I send frame-src 'nonce-...';, the browsers still don't allow a nonce-tagged iframe to load. Chrome even explicitly returns:

Refused to frame '...' because it violates the following Content Security Policy directive: "frame-src 'none'".

Reading the spec, it seems that nonces are allowed on frame-src. Am I mistaken in how it works? Or is it that the current implementations don't support it?

bakkot commented 4 years ago

Speaking as an outside observer, my understanding is that such nonces are allowed in the sense of matching the grammar, but they don't actually do anything. frame-src has two associated checks, and both of them only use Does response to request match source list?, which does not care about nonces.

(See also https://github.com/w3c/webappsec-csp/issues/431, which points out a similar discrepancies.)

dveditz commented 4 years ago

Nonces are only checked for script or style. These are called out in the pre- and post- check algorithms for those types, but also the global "match element to source list" algorithm only checks nonces if the element is style or script.

Interesting. I don't think anyone has brought up the possibility of it being a generic whitelisting mechanism. I suppose it could be useful for "infinite scroll" type pages where you don't know what the content is going to be when you're setting up the page's CSP, but you know you want embedding of various user content.

viraptor commented 4 years ago

FTR, my use case was a bit different. Application so large that keeping a list, getting everyone trained, etc is challenging. Banning <iframe and allowing <%= nonced_iframe ... (or whatever implementation may be) though is much simpler.

arturjanc commented 4 years ago

I generally like the idea of nonces as a generic mechanism to allow the loading of arbitrary elements, not just script or style. I think the Firefox implementation even allowed this at some point for a number of other elements.

This has been proposed as a "web ASLR" a long time ago, see:

I'm not entirely sure there's interest in implementing it at this point, however, especially since a potential (likely?) future direction for CSP is a split into Scripting Policy / Confinement Policy.

egranty commented 3 years ago

I think the Firefox implementation even allowed this at some point for a number of other elements.

Yes, Mozilla Firefox v52.9.0 ESR (release Jun 2018, WinXP) did supported 'nonce-value' in any elements. Situation has changed in Firefox v69 browser (release September 2019). It looks like they looked at how this is implemented in Chrome and unified the behavior of their browser.

Currently only the <script> and <style> elements are "nonceable".