Open antosart opened 2 years ago
annevk
commented
2 years ago At least per the specification this concern also applies to child-src and object-src, right? I agree that this is a problem and I like the idea of only enforcing this when src is set for the relevant elements.
antosart
commented
2 years ago You're right, I think this also applies to object-src. Regarding child-src, it applies only when it's a fallback for frame-src. I don't think there is an analogous problem for workers.
antosart
commented
2 years ago And if we want to cover all possible outgoing requests, I guess other types of navigations of iframes (e.g. by setting window.location) would be better governed by navigate-to (which would check the CSP of the initiator of the navigation and report an eventual violation there)
annevk
commented
2 years ago To be clear, navigate-to (and form-action) are scoped to the document that declares the policy. I don't think they should apply to other documents. (So in your example the frame would have to declare its own policy.)
antosart
commented
2 years ago As far as I understand, as per the specification they do (and I believe in chrome's implementation too). That's another issue though :)
CSP frame-src is set by the parent document, yet it controls navigations which might be initiated by other contexts (like the child iframe navigating itself). CSP violations caused by it get reported to the parent document, potentially leaking cross-origin information.
I think we should restrict frame-src to only control the iframe's src attribute, which is set and controlled by the parent.