Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Using active document of a browsing context introduces a security vulnerability #360
Instances of using the active document of a browsing context introduce a vulnerability where the browsing context could have navigated in the middle of the current request and we are inheriting a new document's CSP.
We should use the request's client.
Places that do this (incorrectly):
Places where the usage is correct and should be kept:
referenced this issue
Nov 5, 2018
It's not clear to me that the use in https://w3c.github.io/webappsec-csp/#frame-ancestors-navigation-response is correct either, fwiw. "parent’s active document" might not be the same as the document that contained the iframe tag that created the "current" (well, the old value, before we set it to "parent") browsing context.
Yes, but an iframe can be navigated by someone different than its parent and frame-ancestors specifically deals with the embedded chain of an iframe, so using the request is definitely wrong.
Let's say we have parent document A that embeds iframes B and C. B navigates its sibling C to D and D has a
If the parent of an iframe navigates away doesn't the iframe loading stop anyway? I guess I'm not seeing how a "parent's active document" can change without simply stopping the iframe request since it's part of the parent document. Is there a way to change the parent document but keep a child iframe?
Probably yes, but I would be happier if we did not rely on that. For example, if preloading ever gets resurrected, this would become a problem again.
In general, sure, though not necessarily while there is a child request running in the iframe. Both Firefox and Safari implement, and the spec supports, mechanisms that store the whole DOM/JS state in the session history.
Anyway, I think what would make the most sense for frame-ancestors is an algorithm like this:
This is provably correct (in that it walks the ancestor chain of documents involved) without having to think about details of the navigation algorithm and its complicated interactions with all this stuff.