18

I have a webpage (say origin=A) that has an iframe embedded in it which loads from a different domain (say B). B loads bunch scripts from different domains (various CDNs). My webpage A sets pretty strict CSP like:

default-src 'none'; script-src 'self'; frame-src B

B doesn't set any CSP headers.

Now I would expect the child frame, B, to inherit the CSP rules of A and trying to access various CDNs should be a violation of its CSP because of script-src 'self' but to my surprise, it works smoothly.

So my question is: How CSP is inherited by child iframes ? Does it depend on its parent frame's CSP if CSP for iframe is not mentioned ? If yes, how ? Is there any documentation somewhere about it, I couldn't find anything specific that would explain the situation above.

Is there a way I can debug the CSP inherited by child iframes ? From Chrome's debugger or FF's debugger - by selecting the iframe and then CSP for the iframe would show up ?

pranavk
  • 1,774
  • 3
  • 17
  • 25

1 Answers1

25

How CSP is inherited by child iframes?

It’s not — not in the common case (the “loads from a different domain” case in the question).

But there are other ways to populate iframe, and CSP works different for those (see below).

Does it depend on its parent frame's CSP if CSP for iframe is not mentioned?

No, it doesn’t for the common case (the “loads from a different domain” case in the question).

Is there any documentation somewhere about it

Yes, see the Policy applicability section of the CSP2 specification, which says this:

Embedded Contexts: Any resource included via iframe, object, or embed.

Unless the embedded resource is a globally unique identifier (or a srcdoc iframe), the embedded resource is controlled by the policy delivered with the resource. If the embedded resource is a globally unique identifier or srcdoc iframe, it inherits the policy of the context creating it.

A “globally unique identifier” is something with a data: URL or other kind of URL that’s not a hierarchical URL such an https/http URL.

So the common case (“loads from a different domain” in the question) is a “embedded resource is controlled by the policy delivered with the resource” case—that is, it doesn’t inherit.

In contrast, if the iframe is a srcdoc iframe, the case is very different and the spec says:

Whenever a user agent creates an iframe srcdoc document in a browsing context nested in the protected resource, if the user agent is enforcing any policies for the protected resource, the user agent MUST enforce those policies on the iframe srcdoc document as well.

That is a srcdoc iframe does inherit its parent’s CSP policy.

sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
  • hmm, so given domain B doesn't have any CSP headers, what will be the default policy values for it ? Does it differ from browser to browser ? Is there some way to know it - like from the browser console or something ? – pranavk Apr 05 '17 at 17:39
  • If domain B doesn’t have any CSP headers, then the browser applies no CSP restrictions and allows everything that would otherwise be allowed—scripts/stylesheets from anywhere, at any URL, inline scripts/stylesheets, etc.—as well as allowing all non-hierarchical schemes that browsers normally allow. That doesn’t differ from browser to browser. If you want to consider in terms of being a CSP “default policy”, then it basically corresponds to something like `default-src * 'unsafe-eval' 'unsafe-inline' 'unsafe-dynamic' data: filesystem: about: blob: ws: wss:` – sideshowbarker Apr 05 '17 at 18:08
  • 1
    I'm doing some tests and it seems to me like Edge is inheriting frame-src/child-src on embedded iframes no matter what. Chrome does not. – Rhys Jul 12 '17 at 15:03