CSP report referrer property in reports with frame-ancestors CSP directive violations

[mxschmitt]

Coming from the Chromium bug report 742485 and its corresponding CL we thought it makes more sense to bring the discussion to GitHub regarding what value the referrer should have for a CSP violation.

The bug report is about that the referrer is null in Chromium when a CSP frame-ancestors violation happens and gets reported to its corresponding report-url endpoint. In Firefox and WebKit it's filled. A dedicated minimal reproducible can be found here to compare other browsers behaviour.

(It's not about that report-url and report-to won't work in combination in Chromium, this was tracked in https://github.com/w3c/reporting/issues/203 and 1065150)

The open questions are so far:

• Is in the spec already that the referrer property should be filled with it's parent frame URL on a frame-ancestors violation?

[annevk]

What happens if A embeds C and that navigates to B which forbids A through frame-ancestors? Surely it shouldn't report A there.

I always have a hard time reading CSP as the callers are not clear (e.g., how do I find the caller of https://w3c.github.io/webappsec-csp/#frame-ancestors-navigation-response which I suspect is responsible for doing the reporting?), but I would hope that the referrer is taken from the request there.

[antosart]

Following https://w3c.github.io/webappsec-csp/#should-block-navigation-response 2.1. we "Create a violation object" passing null as global. Following the link, this end ups at https://w3c.github.io/webappsec-csp/#create-violation-for-global, which apparently does not set violation's referrer if global is not a Window. So it would seem according to the spec that the referrer is empty in this case.

If we want to change that, I agree with @annevk that the only meaningful thing to take would be the request's referrer. I wonder how helpful that is in the report, however.

[gravi2]

I came to this ticket when debugging why CSP violations in chrome did not have the referrer. I thought I will share my comments about the value of referrer.

In my tests, Firefox and Safari are using the report-uri (i.e. V2 spec of reporting) and they are setting the referrer to the full parent URL i.e the top level frame that contains the iframe with CSP violations.

This in my opinion is the right expected behavior, since it allows the authors of the iframe to see who is violating their CSP and can take necessary actions. Without this info, reporting from chrome only tells that there is a violation and on which iframe URL did the violation occur, but not which website is violating the frame-ancestor CSP.

If there is concern that reporting the full referrer is leaking the referrer and is prone to abuse, can we minimally consider reporting the host/domain part of the referrer? or may be based on the Referrrer-Policy Header of the originating site?