Mixed Content , Content-Security-Policy and hash-source

Question

I'd like to open an HTTP Iframe inside an HTTPS page. Of course this is not normally possible as it will trigger an 'mixed-content' violation.

Is there any way to by-pass a mixed content block using "Content-Security-Policy" and hash sources ?

Example:

• http://mysite/my-frame.html has an sha-256 hash of sha256-xxxyyy....zzz

• https://mysite/index.html will be served with a Content-Security-Policy header as follow (or inlines an equivalente <meta> tag) as long as CORS headers:

  • Content-Security-Policy: frame-src sha256-xxxxyyyy....zzz

• https://mysite/index.html includes an <iframe src='http://mysite/my-frame.html'>

Will this work ? Is there any other method to make this possible.

note: No upgrade-insecure-requests will not work because the page is a navigational request AND the frame HAS to be served from HTTP.

Answer 1

What if the server sets the csp child-src to http://mysite/my-frame.html? As I read the definitions it should work.

child-src lists the URLs for workers and embedded frame contents. For example: child-src https://youtube.com would enable embedding videos from YouTube but not from other origins. Use this in place of the deprecated frame-src directive.

https://www.html5rocks.com/en/tutorials/security/content-security-policy/

Answer 2

No, there's no way to bypass the security block on modern browsers (starting from Firefox 23, Chrome 14, IE9)

Thankfully, most modern browsers block this type of dangerous content by default

ref: https://developers.google.com/web/fundamentals/security/prevent-mixed-content/what-is-mixed-content#mixed-content-types--security-threats-associated