1

If I'm loading another site in an iFrame do the Content Security Policy Headers of that site have any affect on whether the site gets blocked?

e.g. if I open www.google.com in an iFrame is there any interaction between the CSP header settings on my site and the ones on google.com? Or would Google's CSP only affect what they're trying to load in the iFrame.

Of course if google had their own iFrames they'd need CSP headers to allow any 3rd party content to load. But do my CSP headers have any affect on Google's after google.com starts to load? If Google tried to load youtube.com in an iFrame and I didn't include youtube.com in my CSP whitelist would that work?

Sorry if this is a silly question, I'm trying to wrap my head around iFrames. What I'm wondering is if I need to worry about the CSP settings on the third party, especially if I'm nesting iFrames, or if I only need to worry about my CSP policy.

I think what I'm getting at is this: Once I've said "allow this 3rd party site to load" in my CSP headers can that site load whatever it wants based on their CSP headers?

Thanks!

Jeremy Daniel Gregorio
  • 137
  • 2
  • 13
  • As far as the affect on your document of the CSP policy for the document in the iframe: No, a CSP policy for a document in an iframe doesn’t affect the parent document of the iframe at all. If you open `www.google.com` in an iframe, there is no interaction between the CSP header settings on your site and the ones on `www.google.com`. Google's CSP policy only affects what gets loaded in the iframe. As far as the affect on the iframe of your document’s CSP policy, see the answer at https://stackoverflow.com/questions/43236626/what-csp-child-iframe-inherits-from-its-parent/43237443#43237443 – sideshowbarker Jul 07 '22 at 22:27

2 Answers2

0

Let's say that you have site A framing site B. Site A must not set a framing policy that denies site B and site B must not set a policy that prevents being framed by A.

Site A can set "frame-src B" to explicitly allow site B to be framed. If frame-src is not set, child-src is used as a fallback, and if that is not set, default-src is used as a fallback. If none of them are restricted, all sites can be framed.

Site B can set "frame-ancestors A" to allow framing by A. This directive has no fallback. If it is not set, any site can frame site B. If it is set, only the sites listed as valid sources can frame it.

Apart for frame-src (child-src, default-src) for the framer and frame-ancestors for the framed, there is no impact on other sites by the CSP, they each control their own sources.

Halvor Sakshaug
  • 2,583
  • 1
  • 6
  • 9
0

CSP Header directive corresponding to iframes ,

  • frame-src
  • frame-ancestors

lets say your site xyz.com and google's site "google.com". Site xyz.com has its own csp which can controls,

    1. Who can load xyz.com as iframe, decided by frame-ancestors directive
    1. Who can be loaded inside 'xyz.com' as iframe, decided by frame-src directive

same scenario applies for google.com ( whose csp can decide, whom to be loaded as iframe inside its app & whom can load google.com as iframe )

Each html document has its own csp response header, which will not interfere with its host app (parent frame) or its iframes (child frames).

xyz.com 's CSP only decides whom should load it & whom it should load as frame, it cannot control its host frame or child frame ( they are considered as separate entities )

Apart from this another header X-FRAME-OPTIONS is also available with minimal control options to decide whether a site should load as frame or not.

For detailed reference :

Adhi
  • 1
  • 2