Open antosart opened 2 years ago
At least per the specification this concern also applies to child-src
and object-src
, right? I agree that this is a problem and I like the idea of only enforcing this when src
is set for the relevant elements.
You're right, I think this also applies to object-src
. Regarding child-src
, it applies only when it's a fallback for frame-src
. I don't think there is an analogous problem for workers.
And if we want to cover all possible outgoing requests, I guess other types of navigations of iframes (e.g. by setting window.location
) would be better governed by navigate-to
(which would check the CSP of the initiator of the navigation and report an eventual violation there)
To be clear, navigate-to (and form-action) are scoped to the document that declares the policy. I don't think they should apply to other documents. (So in your example the frame would have to declare its own policy.)
As far as I understand, as per the specification they do (and I believe in chrome's implementation too). That's another issue though :)
CSP frame-src is set by the parent document, yet it controls navigations which might be initiated by other contexts (like the child iframe navigating itself). CSP violations caused by it get reported to the parent document, potentially leaking cross-origin information.
I think we should restrict frame-src to only control the iframe's src attribute, which is set and controlled by the parent.