Should about:blank inherit CSP in addition to origin?

[bzbarsky]

Right now per spec it does not. That seems a bit odd, and a way for people to sneak things in past CSP if a page just uses a blank iframe as an extra rendering area.

[bzbarsky]

//cc @mikewest

[wanderview]

Also referrer-policy?

[wanderview]

Also, we've said things like the service worker controller should be inherited along with the origin:

w3c/ServiceWorker#1093

[bzbarsky]

So I wrote a testcase:

<!DOCTYPE html>
<meta http-equiv="Content-Security-Policy" content="img-src 'self'">
<iframe></iframe>
<script>
  const imageURL = "http://software.hixie.ch/resources/style/2010/trains.jpeg"
  function insertImage(doc) {
    var img = doc.createElement("img");
    img.src = imageURL;
    img.alt = "I am not here";
    doc.body.appendChild(img);
  }
  onload = function() {
    insertImage(document);
    insertImage(frames[0].document);
  }
</script>

and as far as I can tell, Firefox, Chrome, Safari, and Edge all apply the CSP from the parent to the subframe in this case.

[bzbarsky]

I guess this is kinda handled in https://w3c.github.io/webappsec-csp/#initialize-document-csp sorta. It's weird that we do this quite differently for about:blank and srcdoc...

[annevk]

Related: #1445.

[domenic]

@antosart I imagine this is now well-specified since CSP is in the policy container. Is it well-tested as well?

[antosart]

Yes, it is now well-specified and fully tested (see the inheritance folder inside CSP WPTs, and in particular iframe-all-local-schemes.sub.html and window.html.

Marking as closed.