-
Notifications
You must be signed in to change notification settings - Fork 78
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clarify meaning of 'self' for CSPs in meta tags of local-scheme documents #459
Comments
(Related: although it's not a local scheme, I think it would make also sense for 'self' in file: documents to match nothing). |
The Web Platform Test content-security-policy/meta/sandbox-iframe.html was creating a sandboxed srcdoc iframe and checking that 'self' matches the parent's origin in meta-delivered CSP. Independently on the iframe being sandboxed, it is questionable whether 'self' should match anything in the srcdoc iframe (cf. w3c/webappsec-csp#459), so I believe we should remove this test. Firefox and Safari are both failing this test (and at least Firefox fails also if we remove the sandbox). Change-Id: I2a84c1649cf8ac808cb2af3acacdbc99f4380909
See also #405. Per https://w3c.github.io/webappsec-csp/#policy-self-origin it seems like this is intended to work. I also don't think we should treat an opaque origin from a local scheme differently from an opaque origin due to a sandboxed HTTPS document. |
We did do some work a while back to make this functional. Hrm.
What do Gecko and WebKit do here? |
On 1. I think I can agree on Notice that I am explicitly talking only about 'self' in policies parsed from meta elements contained in the local scheme document. It is totally clear that for policies inherited from the main document, we also inherit the meaning of self. |
An (initial) |
If you mean manually opening a new window and/or navigating manually to |
Ok, thanks for the clarification. Let me try to summarize:
(Note: Firefox and Chrome's behaviour seem to differ on 1., see https://wpt.fyi/results/content-security-policy/meta/sandbox-iframe.html?label=experimental&label=master&aligned [which fails on Firefox independently on the srcdoc iframe being sandboxed]. But from @annevk's comments I understand he also agrees that 1. above is the expected behaviour and would like to converge there.) I still believe it would make sense to clarify all of these somewhere in the spec. |
I think that makes sense to align on given the status quo in implementations. Thanks for writing tests! Having said that, I'm not super happy with how CSP seems to largely use URLs to compute authority rather than use the authority of the environment. In particular, |
I am not sure, it depends how developers interpret
I think we should choose one of the two and follow it consistently. Personally I think 1. is more sounded. Mainly because when we inherit policies, I believe we should inherit the meaning of I also believe 1. is more clear to web developers, while I do not see a real need for 2. |
I'm not sure I follow. Inheritance should never happen across the origin boundary. And your response does not discuss sandboxing, which I think is where this comes into play most. (Again, I'm not sure we can change this so we have to go with 1, so our disagreement probably does not matter.) |
If I understand correctly the CSP spec, "Dedicated workers now always inherit their creator’s policy.", also if cross-origin.
That's true, because it's the point I am most unsure about :) In favour of 1. for sandbox, I find it weird that you would have to change your CSPs just because your page gets embedded in a sandboxed iframe (which is, from some point of view, out of your control). |
You are correct, for (It might be good to add a worker section to https://github.com/antosart/policy-container-explained, come to think of it.) Now for sandboxing. I think there are two cases:
Having thought about it a bit I think I'm persuaded that it doesn't really matter what |
I couldn't find out from the spec what the keyword 'self' should mean when the policy is served inside the meta tag of a local-scheme (data: or about: or blob:) document.
I believe it would make sense in those cases for 'self' to match nothing.
In fact, this test https://wpt.fyi/results/content-security-policy/frame-src/frame-src-self-unique-origin.html?label=experimental&label=master&aligned asserts that 'self' in a data: url matches nothing.
The text was updated successfully, but these errors were encountered: