CODEWITHSUNDEEP
htmlsecurityfirefoxcontent-security-policy
Wojciech Reszelewski
Wojciech Reszelewski

Reputation: 2706

Content Security Policy inside iframe affects whole page on Firefox

I have a situation where ad have a CSP definition inside an iframe. In chrome there are no problems, but in firefox, after ad is loaded CSP affects whole page and I'm unable to load any other resources.

You can see the problem with this example:

<html>
<head>
    <script>

        function getScript(url) {
            let tag = document.createElement('script');
            tag.src = url;
            tag.onload = () => document.getElementById('console').innerHTML += url + " loaded<br>";
            document.body.appendChild(tag);
        }
        function getFromCdnFirst() {
            getScript('https://cdnjs.cloudflare.com/ajax/libs/jquery/3.4.1/jquery.js');
        }

        function getFromCdnSecond() {
            getScript('https://cdnjs.cloudflare.com/ajax/libs/jquery/3.4.1/jquery.slim.min.js');
        }

        function getIframeWithCSP() {
            var doc = document.getElementById('iframe').contentWindow.document;
            doc.open();
            doc.write('<html><head><meta http-equiv="Content-Security-Policy" content="script-src https://cdn.ampproject.org/;object-src '+"'none';child-src blob:;frame-src 'none'" + '"></head><body>Test</body>');
            doc.close();
        }

    </script>
</head>

<body>
    <iframe id="iframe"></iframe><br>
    <button onClick="getFromCdnFirst()">Get script</button><br>
    <button onClick="getIframeWithCSP()">Get CSP</button><br>
    <button onClick="getFromCdnSecond()">Get script</button><br>
<div id="console">
</div>
</body>

It is also available here: https://jsfiddle.net/54Luhjan/1/

After you click the first button, js loads, the second link inserts CSP into iframe and after that scripts can't be loaded - CSP prevents it.

Do you have any idea what can I do to prevent external CSP corrupting my page?

Is it a Firefox bug?

Upvotes: 3

Views: 784

Answers (1)

KWierso
KWierso

Reputation: 46

I ran mozregression over beta and nightly builds of Firefox. It seems like the jsfiddle successfully loads things on the third button click starting with builds that contain the patches from Mozilla's bug 965637, which landed in the trunk on 2019-05-21 (21 May 2019).

So it’s a bug in Firefox 67 (and maybe in earlier versions too) but it’s since been fixed, and the fix will be included in the Firefox 69 release scheduled for 2019-09-03 (3 September 2019).

Unfortunately, though, the fix wasn’t made in time to get into the branch cut for Firefox 68, so the bug will still be present in the Firefox 68 release, scheduled for 2019-07-09 (9 July 2019).

Upvotes: 2

Related Questions