-
Notifications
You must be signed in to change notification settings - Fork 78
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Interaction of CSP and javascript: URLs in iframe src is not defined anywhere #127
Comments
It is implied by https://w3c.github.io/webappsec-csp/#match-url-to-source-expression, |
Why would that algorithm be invoked at all in this case? It wouldn't be, and it's not, as you can tell from this testcase:
|
Because That's what SHOULD happen. It doesn't though, as both Firefox and Chrome do not implement this algorithm. Instead, it is blocked by JavaScript pre-evaluation check. Chrome treats it as inline script and blocks it, while FF does not thus it isn't blocked. I agree that spec should explicitly say that |
OK, true.
Yes, ok, agreed.
Note that https://www.w3.org/TR/CSP2/#match-source-expression says something quite different from that editor's draft; I assume that's what's shipping in browsers right now. The editor's draft will likely need to be adjusted to avoid breaking existing content in this matter...
Uh... Chrome and FF have identical behavior (to each other) on both of my testcases.
That's certainly what shipping UAs are doing. Though there are open questions as to which document's CSP they're using for it, I bet, since none of this is very specified. |
Yep, https://w3c.github.io/webappsec-csp/#changes-from-level-2 step 9 lists that change as a breaking change.
My bad, restarting FF 49 brought it to the same behavior as Chrome. I'll report issues for both browsers on frame-src behavior. I think CSP3 is is doing the right thing by blocking by default non-network schemes. |
I don't think we'd end up blocking since CSP depends on Fetch and HTML's navigate bypasses Fetch for certain schemes, including |
Ah, good point. That explains part of why frame-src has no effect here, no matter what UAs are implementing under the hood. The fetch thing shouldn't affect the script-src 'inline' behavior, though, since that doesn't hook into CSP via fetch (e.g. it applies to inline So I figured I'd check how the inline So sounds like this needs to be handled over in HTML at least in part. Filed whatwg/html#1901 for that. That said, CSP presumably needs to define a |
Note also that it's not clear to me whether this check should be done on element attributes (iframe@src, object@data, etc) or during the actual navigation. Depends on how you want CSP to handle assignment of location.href to a javascript: URL, for example. This affects whether the Right now at least Gecko handles it during navigation. |
@bzbarsky noted in #127 that we're not handling the inline checks for navigations to `javascript:` URLs correctly. This patch refactors the inline behavior checks in order to support a future patch to HTML in whatwg/html#1901 to wire [1] up to CSP. [1]: https://html.spec.whatwg.org/multipage/browsers.html#navigating-across-documents:javascript-protocol
@bzbarsky noted in #127 that we're not handling the inline checks for navigations to `javascript:` URLs correctly. This patch refactors the inline behavior checks in order to support a future patch to HTML in whatwg/html#1901 to wire [1] up to CSP. [1]: https://html.spec.whatwg.org/multipage/browsers.html#navigating-across-documents:javascript-protocol
@bzbarsky noted in #127 that we're not handling the inline checks for navigations to `javascript:` URLs correctly. This patch refactors the inline behavior checks in order to support a future patch to HTML in whatwg/html#1901 to wire [1] up to CSP. [1]: https://html.spec.whatwg.org/multipage/browsers.html#navigating-across-documents:javascript-protocol
This was addressed in a few commits against CSP and HTML in the linked bugs. |
@mikewest Did we add web platform tests around this stuff? For the fact that unsafe-inline controls this, and the fact that script-src does not, and for which document's CSP gets used? |
@bzbarsky: We upstreamed https://github.com/w3c/web-platform-tests/blob/master/content-security-policy/navigation/to-javascript-url.html which verifies the |
As noted in w3c/webappsec-csp#127, we should have a test verifying that navigation to 'javascript:' is controlled via 'script-src' and not 'frame-src'. R=foolip@chromium.org Review-Url: https://codereview.chromium.org/2880563002 Cr-Commit-Position: refs/heads/master@{#470932}
As noted in w3c/webappsec-csp#127, we should have a test verifying that navigation to 'javascript:' is controlled via 'script-src' and not 'frame-src'. R=foolip@chromium.org Review-Url: https://codereview.chromium.org/2880563002 Cr-Commit-Position: refs/heads/master@{#470932}
As noted in w3c/webappsec-csp#127, we should have a test verifying that navigation to 'javascript:' is controlled via 'script-src' and not 'frame-src'. R=foolip@chromium.org Review-Url: https://codereview.chromium.org/2880563002 Cr-Commit-Position: refs/heads/master@{#470932}
@mikewest Looks good, thanks! |
@bzbarsky noted in w3c/webappsec-csp#127 that we're not handling the inline checks for navigations to `javascript:` URLs correctly. This patch refactors the inline behavior checks in order to support a future patch to HTML in whatwg/html#1901 to wire [1] up to CSP. [1]: https://html.spec.whatwg.org/multipage/browsers.html#navigating-across-documents:javascript-protocol
Consider this testcase:
The text does not show up in either Gecko or Blink, but I see nothing in either the HTML spec or the CSP spec that would produce this behavior.
The text was updated successfully, but these errors were encountered: