-
Notifications
You must be signed in to change notification settings - Fork 78
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using active document of a browsing context introduces a security vulnerability #360
Comments
It's not clear to me that the use in https://w3c.github.io/webappsec-csp/#frame-ancestors-navigation-response is correct either, fwiw. "parent’s active document" might not be the same as the document that contained the iframe tag that created the "current" (well, the old value, before we set it to "parent") browsing context. |
Yes, but an iframe can be navigated by someone different than its parent and frame-ancestors specifically deals with the embedded chain of an iframe, so using the request is definitely wrong. Let's say we have parent document A that embeds iframes B and C. B navigates its sibling C to D and D has a If the parent of an iframe navigates away doesn't the iframe loading stop anyway? I guess I'm not seeing how a "parent's active document" can change without simply stopping the iframe request since it's part of the parent document. Is there a way to change the parent document but keep a child iframe? |
Sure.
Probably yes, but I would be happier if we did not rely on that. For example, if preloading ever gets resurrected, this would become a problem again.
In general, sure, though not necessarily while there is a child request running in the iframe. Both Firefox and Safari implement, and the spec supports, mechanisms that store the whole DOM/JS state in the session history. Anyway, I think what would make the most sense for frame-ancestors is an algorithm like this:
This is provably correct (in that it walks the ancestor chain of documents involved) without having to think about details of the navigation algorithm and its complicated interactions with all this stuff. |
Instances of using the active document of a browsing context introduce a vulnerability where the browsing context could have navigated in the middle of the current request and we are inheriting a new document's CSP.
Better explained by @bzbarsky here: #358 (comment)
We should use the request's client.
Places that do this (incorrectly):
https://w3c.github.io/webappsec-csp/#initialize-document-csp
https://w3c.github.io/webappsec-csp/#should-block-navigation-request
https://w3c.github.io/webappsec-csp/#should-block-navigation-response
Places where the usage is correct and should be kept:
https://w3c.github.io/webappsec-csp/#frame-ancestors-navigation-response
The text was updated successfully, but these errors were encountered: