Intro
This was briefly discussed during the WECG London F2F. Frames are complying differently towards the frame-src of CSP in different browsers. This was raised by @kzar in https://issues.chromium.org/issues/40205611.
Setup
Given the following scenario:
- Extension has a content script registered for website X
- Website X has an CSP of frame-src youtube.com
- Website X has an iframe set to youtube.com/embed/x
- Extension navigates frame to youtube-nocookie.com/embed/x
Demo extension: https://jeurissen.co/webext-demos/content-script-iframe-csp-bypass
Result
Chrome/Edge navigate the frame to youtube-nocookie.com even tho it does not comply with the page CSP. Subsequent navigations by the iframed document will again result in CSP compliance unless it is initiated by the extensions isolated world content script.
Firefox/Safari/Orion do not allow the navigation to youtube-nocookie.com//embed/x, strictly complying with the page CSP.
Next steps
Figure out if the current behaviour is intended and if we can align this cross-browser. If I recall correctly, @rdcronin mentioned in London the current Chrome behaviour is most likely intended and changing it may be a breaking change.
Related Safari issue, in some cases, the page CSP even blocks loading data:image urls even tho the iframed CSP should allow this. See https://bugs.webkit.org/show_bug.cgi?id=311728
Intro
This was briefly discussed during the WECG London F2F. Frames are complying differently towards the frame-src of CSP in different browsers. This was raised by @kzar in https://issues.chromium.org/issues/40205611.
Setup
Given the following scenario:
Demo extension: https://jeurissen.co/webext-demos/content-script-iframe-csp-bypass
Result
Chrome/Edge navigate the frame to youtube-nocookie.com even tho it does not comply with the page CSP. Subsequent navigations by the iframed document will again result in CSP compliance unless it is initiated by the extensions isolated world content script.
Firefox/Safari/Orion do not allow the navigation to youtube-nocookie.com//embed/x, strictly complying with the page CSP.
Next steps
Figure out if the current behaviour is intended and if we can align this cross-browser. If I recall correctly, @rdcronin mentioned in London the current Chrome behaviour is most likely intended and changing it may be a breaking change.
Related Safari issue, in some cases, the page CSP even blocks loading data:image urls even tho the iframed CSP should allow this. See https://bugs.webkit.org/show_bug.cgi?id=311728