- From: James Marshall <james@jmarshall.com>
- Date: Fri, 26 Apr 2013 17:28:24 -0700
- To: public-webappsec@w3.org
- Message-ID: <CAGEp=f0HeLksixL8Hq+TtYDbLXwE8YfVs7RBn++h37Bj1AKVOA@mail.gmail.com>
If a frame or iframe is constructed with a "data:" URI, is that frame's
content governed by the CSP of the parent document? If not, then it
currently seems like a way to bypass CSP enforcement.
For example, the HTML in this HTTP response, including the embedded
alert(), is rendered by both Firefox and Chrome:
=============================
HTTP/1.1 200 OK
Content-Security-Policy: default-src 'none'
Content-Type: text/html
<html><body>
<p>Before iframe.
<iframe
src="data:text/html;charset=utf-8;base64,PGh0bWw+PGJvZHk+PHA+YmVmb3JlIHNjcmlwdDxzY3JpcHQgdHlwZT0idGV4dC9qYXZhc2NyaXB0Ij5hbGVydCgnaW4gc2NyaXB0Jyk8L3NjcmlwdD48cD5hZnRlciBzY3JpcHQ8L2JvZHk+PC9odG1sPg=="></iframe>
<p>After iframe.
</body></html>
=============================
The data: URI decodes to "<html><body><p>before script<script
type="text/javascript">alert('in script')</script><p>after
script</body></html>" .
Perhaps should the CSP's frame-src be required to contain 'unsafe-inline'
before rendering data: URIs in frame and iframe elements?
Thanks again,
James
Received on Saturday, 27 April 2013 00:28:51 UTC