0

As per this link,

The embedded resource, however, is controlled by the policy delivered with the resource, or the policy of the embedding resource if the embedded resource is a globally unique identifier (or a srcdoc frame)

My questions is, if I am embedding an iframe using srcdoc/globally unique identifier (like a data:// or blob://), and the embedded HTML has a CSP specified using the tags, then which CSP will be enforced?

pepper
  • 63
  • 5

2 Answers2

2

CSP2 section you refer is not normative, therefore browsers have own implementations. As tests shown, the <frame src=data:-URL, <frame src=blob:-URL and <frame src=javascript:-URL inherit parent document CSP.
This way you will have 2 CSPs in the iframe: iframe's own and parent's one.

Moreover in Firefox 52.9 OSR (CSP3-browser) CSP was propagate from the iframe to the parent document.

srcdoc-frame has more specifics:

  • In terms of SOP, srcdoc=, as inline HTML to embed, inherits the origin from the document that loaded such iframe.
  • The content from srcdoc= is part of the parent document, so the CSP of the parent document applies, but frame-src directive is not applied to it.
  • scripts in the <iframe srcdoc=> are executed in the parent context.

Demos for <iframe src=>CSP inheritance into <iframe srcdoc='some HTML'></iframe></iframe> structute

Below is a demo for CSP inheritance into nested <iframe scrdoc>: 

<iframe src="data:text/html;charset=utf-8,<head>
<meta http-equiv='Content-Security-Policy' content=&quot;default-src 'none'; script-src 'none'; style-src 'none';&quot;
</head>
<body>
&amp;lt;meta CSP=default-src 'none'; script-src 'none'; style-src 'none';&amp;gt;
<br>
<iframe srcdoc=&quot;<head></head>
<body>
 content over <em>srcdoc=</em>: <span  style='color:blue;'>this should be in blue</span>
 <br>
 some content inserted over JS: <span id='span'><font color='silver'>failed</font></span>
 <script>
   document.getElementById('span').innerHTML = 'Done!';
   document.getElementById('span').style.color = 'green';
 </script>
</body>
&quot; width=300 height=80></iframe>
<body>
" width=400 height=150></iframe>

As you can see, inline style and inline script are blocked, the violation messages appear in the browser console.

Pls note that frame-src directive is omitted and its fallback default-src directive is set to 'none' (means embedding iframes are prohibited). But <iframe srcdoc=> is successfully embedded.
Lets compare with the the same test but without <meta CSP>:

<iframe src="data:text/html;charset=utf-8,<head>
</head>
<body>
without &amp;lt;meta CSP&amp;gt;
<br>
<iframe srcdoc=&quot;<head></head>
<body>
 content over <em>srcdoc=</em>: <span  style='color:blue;'>this should be in blue</span>
 <br>
 some content inserted over JS: <span id='span'><font color='silver'>failed</font></span>
 <script>
   document.getElementById('span').innerHTML = 'Done!';
   document.getElementById('span').style.color = 'green';
 </script>
</body>
&quot; width=300 height=80></iframe>
<body>
" width=400 height=150></iframe>

As you can see, inline style is applied and inline script is executed.

granty
  • 7,234
  • 1
  • 14
  • 21
  • Can you please consider posting an answer to https://stackoverflow.com/q/43236626/441757? — because based on what you’ve found and documented in some of your recent SO answers (like this one), it sounds like the accepted answer there (my answer) is in fact not correct. So it would be better to have an answer there that is actually correct. – sideshowbarker Jun 09 '21 at 19:20
  • Your answer in topic your linked was absolutely correct in the context of the question posed. It was a question about a nested iframe loaded through a network scheme while nuances discovered relate to a non network data:-Url/blob:-Url schemes. I think posting the second answer will create a little mess and mislead users. Maybe it is better to point out in your post that there are nuances for non-network data: / blob: schemes and for srcdoc, and make a link to this topic? I'm still rookee here therefore I'll do what you think is better to make `SO` more helpful for visitors. – granty Jun 10 '21 at 21:29
  • I can check the "Community wiki" box so the community can edit this information if browser behavior changes in the future. I also found that some tests can be done on the SO platform using the Code Snippet. I added a test for the ` – granty Jun 10 '21 at 21:40
0

The frame-src is applied to the page.

A frame is allowed to have it's own CSP - regardless of the CSP of it's parent document.

Shai Alon
  • 18
  • 6