New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Order of CSP, COEP, CORP, COOP, etc. checks don't match chromium #6564
Comments
Firefox doesn't implement CSP embedded enforcement and I believe the spec is a "monkey-patch" that is injected into the HTML spec from: |
Replying to web-platform-tests/wpt#28281 (comment):
Part of the issue is that the CSP specs want to handle all CSP things together. So grouping CSP: frame-ancestors and XFO is a bit unnatural. We could probably make it work by just putting CSP-in-general and XFO together, and relying on the fact that (IIUC) the individual CSP checks do not have a defined order. So if we change the spec to COEP -> CSP -> XFO or CSP -> XFO -> COEP then implementations can always put the frame-ancestors CSP check after/before other CSP checks and thus put it together with XFO.
I suspect they'd be OK with changes here since COEP is relatively new (and only implemented in Gecko and Chromium). Maybe @annevk can help confirm. |
When receiving a navigation response, the current HTML specification checks policies in the following order: - Check CSP - Check COEP/CORS - Check X-Frame-Options X-Frame-Options and CSP:frame-ancestors are very close. They serve the same purpose. CSP:frame-ancestors is the same thing, but more flexible. It overrides X-Frame-Options when defined. They are also warning being displayed to developers when they are using unreasonable combination of both. The check about COEP in between CSP and X-Frame-Options is unfortunately badly placed. This patch propose checking it one step earlier. Related issues:: - zcorpan@ tested ordering: web-platform-tests/wpt#28281 - zcorpan@ opened an issue about inconsistencies about the specification and Chromimum whatwg#6564
I wrote: ArthurSonzogni@3f94b82 If @annevk is interested, I will propose this PR, and update zcorpan@ WPT test expectation. |
No strong opinion, but I believe Firefox does implement CSP reporting so you can probably find out our current order. I do agree it's good to define and test order. 😊 |
I wrote a test to test ordering of COEP reporting vs CSP and X-Frame-Options, and was a bit puzzled by the observed outcome in chromium. @ArthurSonzogni commented:
Originally posted by @ArthurSonzogni in web-platform-tests/wpt#28281 (comment)
What do Gecko and WebKit do?
I don't see "CSP embedded enforcement" as a term in the CSP or HTML specs.
For upgrade insecure requests, I see https://fetch.spec.whatwg.org/#concept-main-fetch step 5, but don't know if it matches Chromium.
The text was updated successfully, but these errors were encountered: