哪些CSP子iframe从其父项继承? [英] What CSP child iframe inherits from its parent?
问题描述
我有一个网页(比如origin = A),里面嵌入了一个iframe,从不同的域加载(比如说B)。 B从不同的域加载脚本脚本(各种CDN)。我的网页A设置了非常严格的CSP,如:
default-src'none'; script-src'self'; frame-src B
B没有设置任何CSP标题。
现在我希望子框架B能够继承A的CSP规则,并且尝试访问各种CDN应该违反其CSP,因为script-src'self',但令我惊讶的是,它工作顺利。
所以我的问题是:
CSP如何由子iframe继承?如果没有提及iframe的CSP,它是否依赖于其父框架的CSP?如果是,如何?是否有任何关于它的文档,我找不到任何具体的东西来解释上述情况。
有没有一种方法可以调试由子iframe继承的CSP ?从Chrome的调试器或FF的调试器 - 通过选择iframe,然后CSP的iframe会显示?
CSP如何由子iframe继承?
不是。也就是说,不是在一般情况下(问题中的来自不同域的加载)。
但是还有其他方法来填充 iframe
,并且CSP在这些情况下工作不同(见下文)。
它是否依赖其父项如果CSP没有提及iframe的框架,CSP的框架没有提到?
不,它不适用于常见情况(
$ b
有没有关于它的任何文档
是的,请参阅 CSP2规范的政策适用性部分,其中表示: :通过 iframe
, object
或嵌入的任何资源
。
除非e mbedded资源是全局唯一标识符(或 srcdoc
iframe),嵌入式资源由随资源一起提供的策略控制。如果嵌入式资源是全局唯一标识符或 srcdoc
iframe,它将继承创建它的上下文策略。
全局唯一标识符是 所以常见的情况问题中来自不同域的负载)是嵌入式资源受资源交付策略控制的情况 - 也就是说,它不会继承。 https
/ http
URL。
<相反,如果 iframe
是 srcdoc
iframe,则情况会非常不同,并且规范说明:
只要用户代理在嵌套在受保护资源中的浏览上下文中创建
iframe srcdoc
文档,用户代理正在执行受保护资源的任何策略,用户代理必须在iframe srcdoc
文档中强制执行这些策略。
这是一个 srcdoc
iframe does 继承其父母的CSP政策。
I have a webpage (say origin=A) that has an iframe embedded in it which loads from a different domain (say B). B loads bunch scripts from different domains (various CDNs). My webpage A sets pretty strict CSP like:
default-src 'none'; script-src 'self'; frame-src B
B doesn't set any CSP headers.
Now I would expect the child frame, B, to inherit the CSP rules of A and trying to access various CDNs should be a violation of its CSP because of script-src 'self' but to my surprise, it works smoothly.
So my question is: How CSP is inherited by child iframes ? Does it depend on its parent frame's CSP if CSP for iframe is not mentioned ? If yes, how ? Is there any documentation somewhere about it, I couldn't find anything specific that would explain the situation above.
Is there a way I can debug the CSP inherited by child iframes ? From Chrome's debugger or FF's debugger - by selecting the iframe and then CSP for the iframe would show up ?
How CSP is inherited by child iframes?
It’s not. That is, not in the common case (the "loads from a different domain" case in the question).
But there are other ways to populate iframe
, and CSP works different in those cases (see below).
Does it depend on its parent frame's CSP if CSP for iframe is not mentioned?
No, it doesn’t for the common case (the "loads from a different domain" case given in the question).
Is there any documentation somewhere about it
Yes, see the Policy applicability section of the CSP2 specification, which says this:
Embedded Contexts: Any resource included via
iframe
,object
, orembed
.Unless the embedded resource is a globally unique identifier (or a
srcdoc
iframe), the embedded resource is controlled by the policy delivered with the resource. If the embedded resource is a globally unique identifier orsrcdoc
iframe, it inherits the policy of the context creating it.
A "globally unique identifier" is something with a data:
URL or other kind of URL that’s not a hierarchical URL such an https
/http
URL.
So the common case (described as "loads from a different domain" in the question) is a "embedded resource is controlled by the policy delivered with the resource" case—that is, it doesn’t inherit.
In contrast, if the iframe
is a srcdoc
iframe, the case is very different and the spec says:
Whenever a user agent creates an
iframe srcdoc
document in a browsing context nested in the protected resource, if the user agent is enforcing any policies for the protected resource, the user agent MUST enforce those policies on theiframe srcdoc
document as well.
That is a srcdoc
iframe does inherit its parent’s CSP policy.
这篇关于哪些CSP子iframe从其父项继承?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!