哪些CSP子iframe从其父项继承？ [英] What CSP child iframe inherits from its parent?

问题描述

我有一个网页（比如origin = A），里面嵌入了一个iframe，从不同的域加载（比如说B）。 B从不同的域加载脚本脚本（各种CDN）。我的网页A设置了非常严格的CSP，如：

default-src'none'; script-src'self'; frame-src B

B没有设置任何CSP标题。

现在我希望子框架B能够继承A的CSP规则，并且尝试访问各种CDN应该违反其CSP，因为script-src'self'，但令我惊讶的是，它工作顺利。

所以我的问题是：
CSP如何由子iframe继承？如果没有提及iframe的CSP，它是否依赖于其父框架的CSP？如果是，如何？是否有任何关于它的文档，我找不到任何具体的东西来解释上述情况。

有没有一种方法可以调试由子iframe继承的CSP ？从Chrome的调试器或FF的调试器 - 通过选择iframe，然后CSP的iframe会显示？

解决方案

CSP如何由子iframe继承？

不是。也就是说，不是在一般情况下（问题中的来自不同域的加载）。

但是还有其他方法来填充 iframe ，并且CSP在这些情况下工作不同（见下文）。

它是否依赖其父项如果CSP没有提及iframe的框架，CSP的框架没有提到？

不，它不适用于常见情况（
$ b

有没有关于它的任何文档

是的，请参阅 CSP2规范的政策适用性部分，其中表示： ：通过 iframe ， object 或嵌入的任何资源。

除非e mbedded资源是全局唯一标识符（或 srcdoc iframe），嵌入式资源由随资源一起提供的策略控制。如果嵌入式资源是全局唯一标识符或 srcdoc iframe，它将继承创建它的上下文策略。

全局唯一标识符是 data： URL或其他类型的URL，它不是分层URL，例如 https / http URL。

所以常见的情况问题中来自不同域的负载）是嵌入式资源受资源交付策略控制的情况 - 也就是说，它不会继承。

<相反，如果 iframe 是 srcdoc iframe，则情况会非常不同，并且规范说明：

只要用户代理在嵌套在受保护资源中的浏览上下文中创建 iframe srcdoc 文档，用户代理正在执行受保护资源的任何策略，用户代理必须在 iframe srcdoc 文档中强制执行这些策略。

这是一个 srcdoc iframe does 继承其父母的CSP政策。

I have a webpage (say origin=A) that has an iframe embedded in it which loads from a different domain (say B). B loads bunch scripts from different domains (various CDNs). My webpage A sets pretty strict CSP like:

default-src 'none'; script-src 'self'; frame-src B

B doesn't set any CSP headers.

Now I would expect the child frame, B, to inherit the CSP rules of A and trying to access various CDNs should be a violation of its CSP because of script-src 'self' but to my surprise, it works smoothly.

So my question is: How CSP is inherited by child iframes ? Does it depend on its parent frame's CSP if CSP for iframe is not mentioned ? If yes, how ? Is there any documentation somewhere about it, I couldn't find anything specific that would explain the situation above.

Is there a way I can debug the CSP inherited by child iframes ? From Chrome's debugger or FF's debugger - by selecting the iframe and then CSP for the iframe would show up ?

解决方案

How CSP is inherited by child iframes?

It’s not. That is, not in the common case (the "loads from a different domain" case in the question).

But there are other ways to populate iframe, and CSP works different in those cases (see below).

Does it depend on its parent frame's CSP if CSP for iframe is not mentioned?

No, it doesn’t for the common case (the "loads from a different domain" case given in the question).

Is there any documentation somewhere about it

Yes, see the Policy applicability section of the CSP2 specification, which says this:

Embedded Contexts: Any resource included via iframe, object, or embed.

Unless the embedded resource is a globally unique identifier (or a srcdoc iframe), the embedded resource is controlled by the policy delivered with the resource. If the embedded resource is a globally unique identifier or srcdoc iframe, it inherits the policy of the context creating it.

A "globally unique identifier" is something with a data: URL or other kind of URL that’s not a hierarchical URL such an https/http URL.

So the common case (described as "loads from a different domain" in the question) is a "embedded resource is controlled by the policy delivered with the resource" case—that is, it doesn’t inherit.

In contrast, if the iframe is a srcdoc iframe, the case is very different and the spec says:

Whenever a user agent creates an iframe srcdoc document in a browsing context nested in the protected resource, if the user agent is enforcing any policies for the protected resource, the user agent MUST enforce those policies on the iframe srcdoc document as well.

That is a srcdoc iframe does inherit its parent’s CSP policy.

这篇关于哪些CSP子iframe从其父项继承？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！